Siemens FactoryLink Multiple ActiveX Vulnerabilities

Low RiskICS-CERT ICSA-11-343-01Sep 11, 2011

Summary

Siemens Tecnomatix FactoryLink contains multiple buffer overflow and other vulnerabilities (CWE-119, CWE-73) in ActiveX controls. These vulnerabilities allow arbitrary code execution or denial of service when a user opens a malicious document or visits a malicious web page on a machine where FactoryLink is installed. Affected versions include V8.0.2.54, V7.5.217_V7.5_SP2, and V6.6.1_V6.6_SP1. No vendor fixes are available for any of these versions.

What this means

What could happen

An attacker who gains access to a workstation running FactoryLink could execute arbitrary code or crash the application through malicious input to ActiveX controls, potentially disrupting plant monitoring and control operations.

Who's at risk

Water authorities and utilities running Siemens Tecnomatix FactoryLink for supervisory monitoring and manufacturing execution should be concerned. The vulnerability affects operators and engineers with access to FactoryLink workstations, particularly those who may browse the internet or receive email on those machines.

How it could be exploited

An attacker would need to trick a user into opening a malicious document or web page that exploits one of the vulnerable ActiveX controls embedded in FactoryLink. The attacker code then executes with the privileges of the logged-in user on that workstation.

Prerequisites

User with FactoryLink installed must be tricked into opening a malicious document or visiting a malicious webpage
ActiveX controls must be enabled in the browser or Office application
User must have sufficient privileges to execute code on the workstation

no patch availabledefault credentials not mentioned but ActiveX unsafe by designrequires user interaction (social engineering)affects SCADA/MES monitoring and control

Exploitability

Moderate exploit probability (EPSS 5.5%)

Affected products (3)

3 pending

ProductAffected VersionsFix Status

Tecnomatix FactoryLink: V8.0.2.54V8.0.2.54No fix yet

Tecnomatix FactoryLink: V7.5.217_V7.5_SP2V7.5.217 V7.5 SP2No fix yet

Tecnomatix FactoryLink: V6.6.1_V6.6_SP1V6.6.1 V6.6 SP1No fix yet

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGRestrict access to FactoryLink workstations to trusted networks only using firewall rules

WORKAROUNDDisable ActiveX controls in web browsers and Office applications if not required for FactoryLink operations

HARDENINGEducate users not to open documents or visit untrusted websites on FactoryLink workstations

Long-term hardening

0/2

HARDENINGRun FactoryLink workstations with the least privileges necessary for operators

HARDENINGMonitor for end-of-life status; evaluate upgrade or replacement of Tecnomatix FactoryLink to a supported version or alternative product

CVEs (2)

CVE-2011-4055 CVE-2011-4056

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/903096a3-311d-4ee6-84c3-ecb6345b00ed