Wonderware InBatch ActiveX Vulnerabilities
Low RiskICS-CERT ICSA-11-332-01AAug 31, 2011
Summary
Wonderware InBatch contains stack-based buffer overflow vulnerabilities in its ActiveX controls that could allow remote code execution. The vulnerabilities affect versions 8.1 SP1, 9.0, 9.0 SP1, 9.0 SP2, and 9.5. No patches are available from the vendor.
What this means
What could happen
An attacker with network access to a system running Wonderware InBatch could remotely execute arbitrary code on the affected server or client, potentially allowing them to modify batch process parameters, alter production schedules, or disrupt manufacturing operations.
Who's at risk
Manufacturing and batch process operators who rely on Wonderware InBatch for recipe management, batch execution, and production scheduling. This includes pharmaceutical, food and beverage, chemical processing, and other discrete manufacturing facilities that use AVEVA's batch execution platform.
How it could be exploited
An attacker could craft a malicious webpage or document containing a specially formatted ActiveX control parameter that triggers a stack buffer overflow when loaded by a user. The overflow allows arbitrary code execution with the privileges of the user running the browser or application. No authentication is required if the attacker can deliver the malicious content to a target user.
Prerequisites
- System running a vulnerable version of Wonderware InBatch with ActiveX controls enabled
- User interaction (opening a malicious webpage or document in a browser with the vulnerable ActiveX control)
- Network access to the user's system or ability to deliver malicious content via email or web
No patch availableRemotely exploitable via web contentLow complexity exploitationAffects manufacturing operationsStack buffer overflow weakness
Exploitability
Moderate exploit probability (EPSS 1.7%)
Affected products (5)
5 pending
ProductAffected VersionsFix Status
Wonderware InBatch Server and Runtime Clients: 8.1|SP18.1|SP1No fix yet
Wonderware InBatch Server and Runtime Clients: 9.0|SP29.0|SP2No fix yet
Wonderware InBatch Server and Runtime Clients: 9.59.5No fix yet
Wonderware InBatch: 9.09.0No fix yet
Wonderware InBatch: 9.0_SP1.9.0 SP1.No fix yet
Remediation & Mitigation
0/5
Do now
0/1WORKAROUNDDisable or restrict ActiveX control execution in web browsers on engineering workstations and servers running Wonderware InBatch
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGRestrict user access and privileges on systems running Wonderware InBatch to the minimum required for job functions
HARDENINGMonitor for and block malicious webpages, emails, and documents that could deliver exploit payloads targeting Wonderware InBatch
Long-term hardening
0/2HARDENINGImplement network segmentation to isolate Wonderware InBatch systems from untrusted networks and the internet
HARDENINGEvaluate migration to current-generation AVEVA batch execution products that receive active vendor support and security updates
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/a9573051-a47f-4cd9-acb6-08f0434c3a9c