Wonderware Information Server Multiple Vulnerabilities
Low RiskICS-CERT ICSA-12-062-01Dec 4, 2012
Summary
Wonderware Information Server Portal and Client versions 4.0_SP1 through 4.5 contain SQL injection (CWE-89), cross-site scripting (CWE-79), and improper access control (CWE-284) vulnerabilities. SQL injection could allow an attacker to execute arbitrary database commands or extract sensitive data. Cross-site scripting could enable session hijacking or credential theft from operator workstations. Improper access control may permit unauthorized modification of system settings or data.
What this means
What could happen
SQL injection and cross-site scripting vulnerabilities in Wonderware Information Server could allow an attacker to inject malicious commands or scripts, potentially compromising data integrity, stealing credentials, or redirecting operators to malicious sites.
Who's at risk
Water utilities and electric utilities running Wonderware Information Server Portal or Client (versions 4.0_SP1 through 4.5) for SCADA data management, reporting, and operator interfaces should assess their exposure. The vulnerability affects any operator or engineer who accesses the Portal or Client to view process data, generate reports, or manage alarms.
How it could be exploited
An attacker could craft malicious SQL queries or JavaScript payloads and inject them through the Information Server Portal or Client interface (CWE-89 SQL injection, CWE-79 XSS). If the application does not properly validate user input, these payloads execute in the database or user browser respectively, allowing data extraction, modification, or session hijacking.
Prerequisites
- Network access to Wonderware Information Server Portal or Client interface
- Ability to submit user input through the Portal or Client UI (no special credentials required if input fields are exposed)
SQL injection (CWE-89)Cross-site scripting (CWE-79)Improper access control (CWE-284)No patch available (end-of-life product)Input validation weaknessAffects legacy SCADA information system
Exploitability
Low exploit probability (EPSS 1.0%)
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
Wonderware Information Server Portal: 4.0_SP1|4.54.0 SP1|4.5No fix (EOL)
Wonderware Information Server Client: 4.0_SP1|4.54.0 SP1|4.5No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/1WORKAROUNDApply input validation and output encoding controls at the application level (disable or sanitize SQL special characters and HTML/JavaScript in user inputs)
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpgrade to a patched version of Wonderware Information Server if and when AVEVA releases a security update
Mitigations - no patch available
0/3The following products have reached End of Life with no planned fix: Wonderware Information Server Portal: 4.0_SP1|4.5, Wonderware Information Server Client: 4.0_SP1|4.5. Apply the following compensating controls:
HARDENINGRestrict network access to Wonderware Information Server Portal and Client to trusted engineering workstations and operator consoles only; implement firewall rules to limit access by IP address and network segment
HARDENINGMonitor Wonderware Information Server logs and network traffic for suspicious SQL syntax or script injection attempts
HARDENINGIsolate legacy Wonderware Information Server systems on a segregated OT network with no direct internet or DMZ connectivity
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/7a77f1d0-bd72-49b9-8bcb-8a6c81eeeb58