Opto 22 Multiple Product Vulnerabilities
Low RiskICS-CERT ICSA-15-120-01Jan 31, 2015
Summary
Opto 22 PAC Project Professional, PAC Project Basic, PAC Display Professional, PAC Display Basic, OptoOPCServer, and OptoDataLink contain stack-based buffer overflow vulnerabilities (CWE-121). These vulnerabilities could allow arbitrary code execution on engineering workstations and data servers running affected versions. All identified affected versions have reached end-of-support status with no patches available.
What this means
What could happen
A stack-based buffer overflow in Opto 22 engineering and connectivity software could allow an attacker to execute arbitrary code on engineering workstations or data servers, potentially disrupting process monitoring and control functions across your facility.
Who's at risk
Engineering and operations staff who use Opto 22 PAC controllers should care about this. The affected products are used to program, configure, and monitor Opto 22 distributed control systems commonly found in water treatment plants, pump stations, electrical substations, and building automation systems. Impact extends to any facility relying on these systems for process control.
How it could be exploited
An attacker would need to send specially crafted input to one of the affected Opto 22 applications (PAC Project, PAC Display, OptoOPCServer, or OptoDataLink). This could occur through malicious files, network messages, or local interaction with an engineering workstation running the vulnerable software.
Prerequisites
- Access to a system running one of the affected Opto 22 products
- Ability to send crafted input to the vulnerable application (file, network packet, or direct interaction)
Stack-based buffer overflow (CWE-121)Affects engineering software and data serversNo vendor patch availableCould enable code execution on control engineering workstations
Exploitability
Moderate exploit probability (EPSS 1.0%)
Affected products (12)
12 EOL
ProductAffected VersionsFix Status
PAC Project Professional: <R9.4006<R9.4006No fix (EOL)
PAC Project Professional: <R9.4008<R9.4008No fix (EOL)
PAC Project Basic: <R9.4006<R9.4006No fix (EOL)
PAC Project Basic: <R9.4008<R9.4008No fix (EOL)
PAC Display Basic: <R9.4f<R9.4fNo fix (EOL)
PAC Display Basic: <R9.4g<R9.4gNo fix (EOL)
PAC Display Professional: <R9.4f<R9.4fNo fix (EOL)
PAC Display Professional: <R9.4g<R9.4gNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/4HARDENINGIsolate engineering workstations and servers running PAC Project, PAC Display, OptoOPCServer, or OptoDataLink from untrusted networks
HARDENINGRestrict network access to these systems to only authorized personnel and trusted connections
HARDENINGMonitor for suspicious activity or crashes on systems running affected Opto 22 software
WORKAROUNDAvoid opening or importing untrusted files in PAC Project or PAC Display
CVEs (1)
โโ Navigate ยท Esc Close
API:
/api/v1/advisories/8f0eb6c6-f6c5-4aaf-ba68-deaa24aa60b9