Invensys Wonderware InTouch 10 DLL Hijack

Low RiskICS-CERT ICSA-12-177-02Mar 29, 2012

Summary

DLL hijacking vulnerability in multiple Invensys Wonderware products allows local code execution. The vulnerability exists because these applications search for dynamic link libraries (DLLs) in insecure directories before the legitimate system paths. An attacker with local file system access could place a malicious DLL in the application's search path, causing the application to load and execute the attacker's code when the software starts or loads features. No vendor patches are available; affected versions include InTouch (all versions before 2012), Wonderware Application Server (before 2012), Information Server (before 4.5), Foxboro Control Software (before 4.0), InFusion CE/FE/SCADA (before 2.5), InBatch (before 9.5_SP1), and Wonderware Historian (before 10.0_SP1).

What this means

What could happen

A DLL hijacking vulnerability could allow an attacker with local access to execute arbitrary code on machines running these Invensys Wonderware products, potentially compromising HMI systems, data historians, and control software that operators rely on to monitor and manage industrial processes.

Who's at risk

Energy sector operators using Invensys Wonderware HMI, Historian, Information Server, or control software for SCADA and process monitoring should evaluate their deployment. This particularly affects users running legacy InTouch versions and Wonderware Application Server instances that interface with PLCs and field devices.

How it could be exploited

An attacker would place a malicious DLL file in a directory where the Wonderware application searches for libraries before checking the legitimate system paths. When the application starts or loads a feature, it would execute the attacker's DLL instead of the legitimate one, allowing arbitrary code execution in the context of the running application.

Prerequisites

Local file system write access to directories in the application's DLL search path
Ability to place files on the machine running Wonderware software (via physical access, shared network drive, or compromised user account)
Application must be restarted or the feature must be loaded after the malicious DLL is planted

no patch availablelocal access requiredlow complexity attackaffects HMI and historian systems

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (7)

7 EOL

ProductAffected VersionsFix Status

InTouch: <2012<2012No fix (EOL)

Wonderware Application Server: <2012<2012No fix (EOL)

Foxboro Control Software: <4.0<4.0No fix (EOL)

InFusion CE/FE/SCADA: <2.5<2.5No fix (EOL)

InBatch: <9.5_SP1<9.5 SP1No fix (EOL)

Wonderware Historian: <10.0_SP1<10.0 SP1No fix (EOL)

Wonderware Information Server: <4.5<4.5No fix (EOL)

Remediation & Mitigation

0/5

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HARDENINGDisable or remove unnecessary network shares and local file system access from untrusted users on Wonderware servers

HARDENINGMonitor file creation and modification in Wonderware application directories and system paths for unauthorized changes

HARDENINGRun Wonderware applications with least-privilege user accounts to limit the impact of code execution

HOTFIXKeep Windows and application libraries updated with security patches to limit exposure to DLL hijacking techniques

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: InTouch: <2012, Wonderware Application Server: <2012, Foxboro Control Software: <4.0, InFusion CE/FE/SCADA: <2.5, InBatch: <9.5_SP1, Wonderware Historian: <10.0_SP1, Wonderware Information Server: <4.5. Apply the following compensating controls:

HARDENINGApply network segmentation to restrict local access to machines running InTouch and Wonderware products to authorized engineering and operations personnel only

CVEs (1)

CVE-2012-3005

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1f7266fd-3149-4c74-be76-1d56fe58ad14