OTPulse
FeedAboutContact

Wonderware Information Server

Low RiskICS-CERT ICSA-11-195-01Apr 16, 2011
Summary

Wonderware Information Server versions 3.1, 4.0, and 4.0_SP1 are vulnerable to a stack-based buffer overflow (CWE-121) that could allow remote code execution. The vulnerability is triggered by sending specially crafted network input that overflows a stack buffer, enabling arbitrary code execution on the Information Server. No vendor patch is available for any affected version.

What this means
What could happen
A stack-based buffer overflow in Wonderware Information Server could allow an attacker with network access to execute arbitrary code on the server, potentially disrupting real-time data collection and historical data integrity for your industrial operations.
Who's at risk
Operators and engineers at water utilities, electric utilities, and manufacturing facilities using Wonderware Information Server for SCADA data collection, historian functions, and real-time monitoring. This affects any organization relying on Wonderware 3.1, 4.0, or 4.0 SP1 for operational visibility and process data logging.
How it could be exploited
An attacker sends a specially crafted network message to the Information Server that triggers a stack-based buffer overflow (CWE-121). If the server accepts the malformed input without proper bounds checking, the attacker can overwrite stack memory and inject code that executes with the privileges of the Information Server process.
Prerequisites
  • Network connectivity to the Wonderware Information Server port(s)
  • Server must accept and process the malformed input without crashing immediately
remotely exploitableno patch availableaffects data integrity and availability of industrial operationsend-of-life product with no vendor support
Exploitability
Moderate exploit probability (EPSS 3.1%)
Affected products (3)
3 EOL
ProductAffected VersionsFix Status
Wonderware Information Server: 3.13.1No fix (EOL)
Wonderware Information Server: 4.04.0No fix (EOL)
Wonderware Information Server: 4.0_SP14.0 SP1No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDImplement firewall rules to restrict network access to Wonderware Information Server to only authorized engineering workstations and HMI clients; block external access from untrusted networks
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGEvaluate migration to a current, supported version of AVEVA software that includes security patches and vendor support
Mitigations - no patch available
0/2
The following products have reached End of Life with no planned fix: Wonderware Information Server: 3.1, Wonderware Information Server: 4.0, Wonderware Information Server: 4.0_SP1. Apply the following compensating controls:
HARDENINGIsolate Wonderware Information Server on a dedicated control network segment with strict ingress/egress rules
HARDENINGMonitor network traffic to and from the Information Server for suspicious connection attempts or malformed packets
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/161739e0-2845-4618-bbd8-58eaf878d5c1
Wonderware Information Server - OTPulse