ICS-CERT: Invensys Wonderware HMI XSS Vulnerabilities

Thursday, February 09, 2012

Headlines

69dafe8b58066478aea48f3d0f384820

Independent security researchers Billy Rios and Terry McCorkle have identified cross-site scripting (XSS) and write access violation vulnerabilities in the Invensys Wonderware HMI reports product.

ICS-CERT has coordinated these two vulnerabilities with Invensys, which has produced a new product version that resolves these reported vulnerabilities. The researchers have confirmed that the new version resolves these vulnerabilities.

AFFECTED PRODUCTS

According to Invensys, the following versions are affected:

• Wonderware HMI Reports 3.42.835.0304 and prior.

IMPACT

Successful attacks could result in data leakage, denial of service, or remote code execution. Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their environment, architecture, and product implementation.

BACKGROUND

Wonderware is a brand offering of the Operations Management Division of Invensys. Invensys Operations Management is a provider of automation and information technologies and systems.

According to Invensys, Wonderware HMI Reports is deployed across several industries including manufacturing, building automation, oil and gas, water and wastewater, healthcare, and electric utilities. Invensys states that these products are used worldwide.

VULNERABILITY OVERVIEW

CROSS-SITE SCRIPTING: A XSS vulnerability exists in the Invensys Wonderware HMI Reports application because of a lack of server-side validation of query string parameter values. Exploitation of this vulnerability requires that a user visit a specially crafted URL, which injects client-side scripts into the server’s HTTP response to the client.

CVE-2011-4038 has been assigned to this vulnerability, which is identical to ICS-CERT Advisory “ICSA-12-024-01 – Ocean Data Systems Dream Reports XSS and Write Access Violation Vulnerabilities.” Invensys’ assessment of the vulnerabilities using the CVSS Version 2.0 calculator rates a CVSS Base Score of 6.0.

WRITE ACCESS VIOLATION: A write access violation vulnerability exists in the Invensys Wonderware HMI Reports application. Exploitation of this vulnerability requires that a user opens a specially crafted file. This may result in arbitrary code execution.

CVE-2011-4039 has been assigned to this vulnerability, which is identical to ICS-CERT Advisory “ICSA-12-024-01 – Ocean Data Systems Dream Reports XSS and Write Access Violation Vulnerabilities.” Invensys’ assessment of the vulnerabilities using the CVSS Version 2.0 calculator rates a CVSS Base Score of 6.0.

EXPLOITABILITY

The XSS vulnerability is remotely exploitable. The write access violation is not remotely exploitable and cannot be exploited without user interaction. The exploit is only triggered when a local user runs the vulnerable application and loads a malformed file.

EXISTENCE OF EXPLOIT

No known public exploits specifically target this vulnerability.

DIFFICULTY

An attacker with a low skill level can create the XSS exploit. Social engineering is required to convince the user to visit a malicious site. Crafting a working exploit for the access violation vulnerability would be difficult. Social engineering is required to convince the user to accept the malformed file. Additional user interaction is needed to load the malformed file. This decreases the likelihood of a successful exploit.

MITIGATION

Invensys recommends users install the Security Update using specific instructions provided in each ReadMe file for each product and component being installed. In general, users should download the update, the associated upgrade instructions, and the license file update. After installation, users must migrate the report definitions into the new Quick Reports 2012 format, as explained in the upgrade instructions. Users must also request a permanent license file from the distributor.

Customers can access the update at the following website:

The full ICS-CERT advisory can be found here:

Source:  http://www.us-cert.gov/control_systems/pdf/ICSA-12-039-01.pdf

Possibly Related Articles:
12849
SCADA
Industrial Control Systems
Denial of Service XSS SCADA Data Leakage Vulnerabilities Remote Access Headlines Cross Site Scripting Advisory ICS ICS-CERT Industrial Control Systems Billy Rios Terry McCorkle Invensys Wonderware HMI
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.