Wonderware System Platform Buffer Overflows

Low RiskICS-CERT ICSA-12-081-01Dec 23, 2012

Summary

Multiple buffer overflow vulnerabilities exist in Wonderware System Platform components including Application Server, Foxboro Control Software, InFusion CE/FE/SCADA, Information Server, ArchestrA Application Object Toolkit, and InTouch. These vulnerabilities result from improper bounds checking in memory operations, allowing potential remote code execution on affected systems.

What this means

What could happen

An attacker could execute arbitrary code on vulnerable Wonderware servers and engineering workstations, potentially allowing them to modify process configurations, alter setpoints, disable alarms, or disrupt communications with field devices and control systems.

Who's at risk

Energy sector operators and utilities running Wonderware System Platform for SCADA, process control, or data acquisition should be concerned. This includes operators of power generation facilities, substations, and distribution systems using InTouch HMI, Foxboro control systems, and Information Server for monitoring and configuration.

How it could be exploited

An attacker with network access to the Wonderware application servers or engineering workstations could send specially crafted input to trigger a buffer overflow in one of the affected components, overwriting memory and executing arbitrary code with the privileges of the running application.

Prerequisites

Network access to Wonderware Application Server, Information Server, or engineering workstations running InTouch or ArchestrA
Affected product version in use (all listed versions are vulnerable)
No authentication typically required for network-based exploitation

remotely exploitablelow complexityno patch availableaffects critical control systemsbuffer overflow in memory handling

Exploitability

Moderate exploit probability (EPSS 2.7%)

Affected products (6)

6 EOL

ProductAffected VersionsFix Status

Wonderware Application Server: <=2012≤ 2012No fix (EOL)

Wonderware Information Server: <=4.5≤ 4.5No fix (EOL)

InTouch: >=10.0|<10.5≥ 10.0|<10.5No fix (EOL)

Foxboro Control Software: <=3.1≤ 3.1No fix (EOL)

InFusion CE/FE/SCADA: <=2.5≤ 2.5No fix (EOL)

ArchestrA Application Object Toolkit: <=3.2≤ 3.2No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate Wonderware servers and engineering workstations on a separate network segment with firewall rules limiting inbound and outbound connections

HARDENINGImplement network access controls restricting connections to Wonderware Application Server and Information Server to known engineering workstations only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGApply host-based intrusion detection and behavioral monitoring to Wonderware systems to detect exploitation attempts

Long-term hardening

0/1

HOTFIXPlan migration to newer versions of Wonderware products that address these vulnerabilities

CVEs (2)

CVE-2012-0258 CVE-2012-0257

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b42c3917-888e-4bd1-866f-2e2e7f07dfa0