OTPulse
FeedAboutContact

Wonderware InBatch Client ActiveX Buffer Overflow

Act Now9.8ICS-CERT ICSA-11-094-01Jan 5, 2011
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Wonderware InBatch 8.1 and 9.0 Runtime Clients contain a buffer overflow vulnerability in the ActiveX component. The vulnerability can be triggered remotely without authentication over the network, allowing an attacker to execute arbitrary code with the privileges of the InBatch application.

What this means
What could happen
An attacker could run arbitrary code on the InBatch Runtime Client with no authentication required, potentially altering recipe parameters, batch process logic, or stopping batch operations entirely.
Who's at risk
Batch process operators and manufacturing control system administrators at pharmaceutical, chemical, and food & beverage facilities using Wonderware InBatch 8.1 or 9.0 for recipe development and batch execution on Windows workstations.
How it could be exploited
An attacker sends a specially crafted network packet to the InBatch Runtime Client ActiveX component over the network (likely port 3382 or similar). The packet triggers a buffer overflow in memory handling, allowing the attacker to execute arbitrary commands on the client workstation with the same privileges as the application.
Prerequisites
  • Network access to the InBatch Runtime Client port
  • No authentication required
  • Attacker must craft a specific malformed input packet
remotely exploitableno authentication requiredlow complexityno patch availableactively developed product without vendor fix
Exploitability
Moderate exploit probability (EPSS 2.8%)
Affected products (2)
2 pending
ProductAffected VersionsFix Status
Wonderware InBatch 8.1--InBatch Runtime Clients: vers:all/*All versionsNo fix yet
Wonderware InBatch 9.0--InBatch Runtime Clients: vers:all/*All versionsNo fix yet
Remediation & Mitigation
0/4
Do now
0/2
WORKAROUNDIsolate InBatch clients from untrusted networks using firewall rules; restrict inbound access to the InBatch port to only authorized engineering workstations and servers
HARDENINGDisable ActiveX controls in web browsers and limit to local network access only if InBatch clients are accessed remotely
Long-term hardening
0/2
HARDENINGImplement network segmentation to place InBatch clients on a separate VLAN from the corporate network and external connections
HARDENINGMonitor InBatch client network traffic for unusual connection attempts or malformed packets
View full CISA ICS-CERT advisory
โ†‘โ†“ Navigate ยท Esc Close
API: /api/v1/advisories/4d20c958-3438-419d-ae14-bce7e9b3f58f
Wonderware InBatch Client ActiveX Buffer Overflow | CVSS 9.8 - OTPulse