us-cert

Overview This advisory is a follow-up to ICS-ALERT-11-011-01 WellinTech Kingview Buffer Overflow, published on the ICS-CERT Web site on January 11, 2011. Independent security researcher Dillon Beresford reported a heap overflow vulnerability in WellinTech KingView V6.53, which may allow a remote, unauthenticated attacker to execute arbitrary code. ICS-CERT has verified the vulnerability. WellinTech has developed and released a patch to mitigate this vulnerability, 6.53(2010-12-15). This patch has been validated by both ICS-CERT and the independent security researcher. Affected Products This vulnerability affects both the Chinese and English language versions of KingView V6.53. Impact Successful exploitation of the heap overflow vulnerability in KingView V6.53 would allow a remote attacker to cause the service to crash and may allow the execution of arbitrary code as the user. The specific impact to an individual organization depends on many factors that are unique to the organization. ...

Overview The ICS-CERT has received a report from independent security researcher Jeremy Brown that reveals a stack-based buffer overflow vulnerability in the test web server bundled with Advantech Studio Version 6.1. This web server is intended to be used for testing purposes and should not be used in a production environment. Advantech has verified the problem and has developed a patch to mitigate the vulnerability. Affected Products This vulnerability affects the test web server bundled with Advantech Studio Version 6.1 and all previous versions. This does not apply to Windows CE versions. Impact Advantech recommends using the bundled test web server only for testing purposes. If the bundled test web server is not used in production, the impact of this vulnerability should be minimal. While a successful exploit of the buffer overflow could allow arbitrary code execution, the specific impact to an individual organization depends on many factors that are unique to the organization. ICS...

Overview This advisory is a follow-up to ICS-ALERT-10-355-01 - Ecava IntegraXor Directory Traversal, published on the ICS-CERT Web page on December 21, 2010. ICS-CERT has become aware of a directory traversal vulnerability in the Ecava IntegraXor Human-Machine Interface (HMI) product that could allow data leakage. ICS-CERT is currently in contact with representatives of Ecava who have verified the vulnerability. Ecava has developed and released a patch to mitigate the vulnerability (igsetup-3.6.4000.1.msi or later) and has notified its customer base of the availability of the patch (http://www.integraxor.com/download/igsetup.msi). This patch has been verified by both the ICS-CERT and the independent security researcher. Affected Products This vulnerability affects all IntegraXor versions prior to Version 3.6 (Build 4000.0). For more information, customers can contact Ecava support at support@integraxor.com. Impact IntegraXor is currently used in several areas of process control in 38 c...

OVERVIEW This advisory is a follow-up to ICS-ALERT-10-293-01 - Intellicom NetBiter WebSCADA Vulnerabilities, published on the ICS-CERT Web page on October 20, 2010. On October 1, 2010 independent researchers identified vulnerabilities in the Intellicom NetBiter Supervisory Control and Data Acquisition (SCADA) applications. A directory traversal vulnerability is present in all affected devices that lead to local file disclosure. The ability to upload malicious web content using a custom logo page is also possible. All of the reported vulnerabilities require superadmin privileges. If the default password is not changed, the vulnerability can be leveraged to gain additional access to an affected device’s file system. --------- Begin Update A Part 1 of 2 -------- Intellicom has released a software update that limits the ability to read system files and eliminates the ability to perform directory traversals. --------- End Update A Part 1 of 2 -------- AFFECTED PRODUCTS Intellicom NetBiter p...

Overview The ICS-CERT has received a report from independent security researcher Jeremy Brown that reveals a stack-based buffer overflow vulnerability in the Ecava IntegraXor Human-Machine Interface (HMI) product that could allow the execution of arbitrary code. Ecava has verified the claim and has released a patch to mitigate the vulnerability (igsetup-3.5.3900.10.msi or later). Affected Products This vulnerability affects all IntegraXor versions prior to v3.5 (Build 3900.10). Ecava has developed a patch to mitigate this vulnerability. For more information, customers can review the Ecava announcement at http://www.integraxor.com/blog/integraxor-3-5-scada-security-issue-20101006-0109-vulnerability-note. Impact IntegraXor is currently used in several areas of process control, though primarily in Malaysia. While a successful exploit of this vulnerability could lead to arbitrary code execution, the impact to individual organizations depends on many factors that are unique to each organiza...

Overview The ICS-CERT has received a report from independent security researcher Jeremy Brown that reveals a heap corruption vulnerability in the Automated Solutions Modbus/TCP Master OPC server. Automated Solutions has confirmed that their most recent patch mitigates the vulnerability for Version 3.0.0. ICS-CERT has verified that the software update resolves the vulnerability identified by the researcher. --------- Begin Update A-------- The vulnerability could be exploited by creating a Modbus/TCP Slave application that generates non-compliant Modbus/TCP reply packets. Successful exploitation would likely not allow arbitrary code execution; however, an exploit could possibly corrupt the OPC server memory. --------- End Update A-------- Affected Products This vulnerability affects the Automated Solutions Modbus/TCP Master OPC Server product (Version 3.0.0) and all previous versions. --------- Begin Update A-------- According to Automated Solutions, no other products share the OPC Serv...

Overview --------- Begin Update A Part 1 of 2 ---------- On October 20, 2010, an independent security researcher postedRubén Santamarta, http://www.reversemode.com/index.php?option=com_content&task=view&id=70&Itemid=1, website last visited October 28, 2010. information regarding a vulnerability in MOXA Device Manager (MDM) Version 2.1. MOXA has confirmed this vulnerability and released Version 2.3 on November 11, 2010 to resolve this issue. Further updated information is listed in the vulnerability and mitigation section of this document. ---------- End Update A Part 1 of 2 ---------- The security researcher’s analysis indicates successful exploitation of this vulnerability can lead to arbitrary code execution and control of the system. However, based on conversations with the researcher, the level of difficulty to exploit this vulnerability is high. Affected Products MOXA Device Manager Version 2.1 is affected by this vulnerability. Impact MOXA’s embedded device products are implement...

Overview This advisory is a follow-up to ICS-ALERT-10-305-01 RealFlex RealWin Buffer Overflows, which was published on the ICS-CERT Web site on November 01, 2010. On October 15, 2010 an independent security researcher posted informationResearcher, http://aluigi.altervista.org/adv/realwin1-adv.txt, website last visited November 4, 2010.  regarding vulnerabilities in RealFlex Technologies Ltd. RealWin SCADA software products. The security researcher’s analysis indicated that successful exploitation of these vulnerabilities can lead to arbitrary code execution and control of the system. RealFlex Technologies has validated the researcher’s findings and released an updateRealFlex, http://csrealflex.com/cs/index.ssp, website last visited November 8, 2010. to resolve these issues. ICS-CERT has verified that the software update resolves the vulnerabilities highlighted by the researcher. Affected Products All RealWin versions up to and including Version 2.1.8 (Build 6.1.8) are affected by these...

OVERVIEW ICS-CERT has been actively investigating and reporting on the Stuxnet vulnerability. To date, ICS-CERT has released ICSA-10-201-01 - Malware Targeting Siemens Control Software (including Updates B & C) and ICSA-10-238-01 - Stuxnet Mitigations (including Update B). Stuxnet uses four zero-day exploits (two of which have been patched) and takes advantage of a vulnerability also exploited by Conficker, which has been documented in Microsoft Security Bulletin MS-08-067.Microsoft Security Bulletin, http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx, website last accessed September 28, 2010. The known methods of propagation include infected USB devices, network shares, STEP 7 Project files, WinCC database files, and the print spooler vulnerability addressed by MS-10-061.Microsoft Security Bulletin, http://www.microsoft.com/technet/security/bulletin/ms10-061.mspx, website last accessed September 28, 2010. The malware can be updated through a command and control infrastru...

Overview This advisory is a follow-up to ICS-ALERT-10-260-01 SCADA Engine BACnet OPC Client Buffer Overflow, which was published on the ICS-CERT Web site on September 17, 2010. A buffer overflow vulnerability has been reportedSecunia Advisory SA41466, http://secunia.com/advisories/41466/, website last accessed September 21, 2010 in SCADA Engine’s BACnet OPC Client. Using a specially crafted malicious file, this vulnerability could allow an attacker to crash the application and execute arbitrary code. A software update is available that resolves this vulnerability. ICS-CERT is aware that exploit code for this vulnerability is publicly available.http://packetstormsecurity.org/1009-exploits/bacnet-overflow.py.txt, website last accessed September 21, 2010  However, ICS-CERT has not received any reports of the vulnerability being exploited in the wild. Affected Products ICS-CERT has confirmed the vulnerability in Version 1.0.24. Older versions may also be affected. SCADA Engine has released...