Wonderware Information Server Vulnerabilities

Low RiskICS-CERT ICSA-13-113-01Jan 25, 2013

Summary

Wonderware Information Server contains multiple input validation vulnerabilities in its web interface that allow SQL injection, cross-site scripting (XSS), and improper input handling. These flaws exist in the portal and web components across versions 4.0 SP1SP1, 4.5 Portal, and 5.0 Portal. An attacker can exploit these vulnerabilities by submitting malicious input through web-based forms to inject SQL commands or execute scripts, potentially accessing or modifying sensitive industrial process data and system configurations stored in the information server database.

What this means

What could happen

An attacker could inject malicious code or SQL commands into Wonderware Information Server through web-based inputs, potentially allowing them to view sensitive industrial data, modify system configurations, or disrupt access to critical production information.

Who's at risk

Water authorities, electric utilities, and manufacturing plants using Wonderware Information Server for supervisory reporting and data access should be concerned. This vulnerability affects systems versions 4.0, 4.5, and 5.0 used for centralized monitoring and historian data retrieval across multiple control systems.

How it could be exploited

An attacker with network access to the Wonderware Information Server web interface could submit specially crafted input containing SQL injection or cross-site scripting (XSS) payloads. These payloads would be processed by the server without proper input validation, allowing the attacker to execute arbitrary SQL queries or inject malicious scripts that execute in the browser of users accessing the system.

Prerequisites

Network access to Wonderware Information Server web interface (typically port 80 or 443)
No authentication required for exploitation of input validation flaws

remotely exploitableno authentication required for web interface accessinput validation flaws enable code injectionaffects data access layer used by multiple control systemsno patch available for affected versions

Exploitability

Moderate exploit probability (EPSS 1.9%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

WIS: 4.0_SP1SP14.0 SP1SP1No fix (EOL)

WIS: 4.5–Portal4.5–PortalNo fix (EOL)

WIS: 5.0–Portal5.0–PortalNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGIsolate Wonderware Information Server on a restricted network segment accessible only to authorized engineering and operations staff

WORKAROUNDImplement a Web Application Firewall (WAF) with rules to block SQL injection and XSS attack patterns targeting the server

HARDENINGContact AVEVA to determine if patches or workarounds are available for your specific deployment

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDDisable or restrict access to non-essential web interface features and input fields

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: WIS: 4.0_SP1SP1, WIS: 4.5–Portal, WIS: 5.0–Portal. Apply the following compensating controls:

HARDENINGMonitor access logs and database queries for suspicious patterns indicative of injection attacks

CVEs (4)

CVE-2013-0688 CVE-2013-0684 CVE-2013-0686 CVE-2013-0685

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/666b76b1-c0fb-4308-9ef2-d8b3830ad0dd