Sielco Sistemi WinLog Stack Overflow

Act Now8.1ICS-CERT ICSA-11-017-02Oct 20, 2011

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Stack overflow vulnerability in Sielco Sistemi WinLog (Lite and Pro) that allows remote code execution without authentication. A specially crafted network packet can overflow the stack buffer, overwriting the return address and enabling arbitrary code execution on the historian server. Affected versions are WinLog Lite and WinLog Pro below version 2.07.00. No patch has been released by the vendor.

What this means

What could happen

A stack overflow in WinLog allows an attacker to execute arbitrary code on the historian server, potentially disrupting data logging, modifying historical records, or compromising the integrity of the monitoring system that tracks plant operations.

Who's at risk

Water utilities and municipal electric systems using Sielco WinLog (Lite or Pro versions prior to 2.07.00) for operational data logging and historian functions. Organizations relying on WinLog to track and archive measurements from PLCs, RTUs, and SCADA systems.

How it could be exploited

An attacker with network access to the WinLog service would send a specially crafted packet containing oversized input that overflows the stack buffer and overwrites the return address, allowing execution of arbitrary code on the historian server.

Prerequisites

Network access to the WinLog service port
No authentication required to trigger the vulnerability

Remotely exploitableNo authentication requiredHigh EPSS score (71.1%)No patch available

Exploitability

High exploit probability (EPSS 71.1%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

WinLog Lite: <2.07.00<2.07.00No fix (EOL)

WinLog Pro: <2.07.00<2.07.00No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to WinLog services using firewall rules—only permit connections from authorized engineering workstations and control systems

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: WinLog Lite: <2.07.00, WinLog Pro: <2.07.00. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate the historian server from the general corporate network and untrusted zones

HARDENINGMonitor WinLog service logs for suspicious connection attempts or crashes that may indicate exploitation attempts

HARDENINGEvaluate migration to a patched alternative historian or newer version of WinLog if one becomes available

CVEs (1)

CVE-2011-0517

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d5c39b13-aa6f-4b5f-9920-46155eb04df5