ICS-CERT: Pro-Face Pro-Server EX Multiple Vulnerabilities

Wednesday, July 04, 2012

Infosec Island Admin

7fef78c47060974e0b8392e305f0daf0

This advisory is a follow-up to the alert titled “ICS-ALERT-12-137-01 - Pro-face Pro-Server EX Multiple Vulnerabilities,” that was published May 16, 2012, on the ICS-CERT Web page.

Independent researcher Luigi Auriemma identified multiple vulnerabilities in the Pro-face Pro-Server application and publicly released this information without coordination with ICS-CERT, the vendor, or any other coordinating entity known to ICS-CERT.

The four confirmed vulnerabilities are invalid memory access, integer overflow, unhandled exception, and memory corruptions. Each of these vulnerabilities are remotely exploitable, and public exploits are known to target these vulnerabilities.

ICS-CERT has coordinated these vulnerabilities with the development and manufacturing company of Pro-face branded products, Digital Electronics, which has produced an update that resolves these vulnerabilities.

AFFECTED PRODUCTS

Digital Electronics reports that the vulnerabilities affect the following products:

• data management software Pro-Server EX versions 1.00.00 through 1.30.00, and

• HMI screen editor and logic programming software GP-Pro EX and related software WinGP Versions 2.00.00 through 3.01.100.

IMPACT

Exploitation of the reported vulnerabilities can result in a denial of service (DoS) or arbitrary code execution. Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.

BACKGROUND

Pro-face is HMI-related hardware and software product found in a wide range of industries such as oil and gas, food and beverage, and water and wastewater industries. Pro-face products are used throughout the world, the highest number sold in Japan and the Asian Pacific area. According to its Web site, Pro-Server EX is a data management server that collects information generated by a PLC system through an HMI unit and generates reports. In February 2001, Pro-face America, Inc., a subsidiary of Digital Electronics Corporation, purchased Xycom Automation.

VULNERABILITY OVERVIEW

MEMORY CORRUPTION:  A specially crafted packet can cause an integer overflow that leads to a buffer overflow in an arbitrary memory location. Out-of-bounds memory access may result in the corruption of memory or instructions that may lead to a crash. The execution of arbitrary code may be possible. Other attacks leading to lack of availability may also be possible. CVE-2012-3792 has been assigned to this vulnerability. A CVSS v2 base score of 5.8 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:P/I:N/A:P).

INTEGER OVERFLOW:  It is possible to exploit an integer overflow to crash the server which could be considered a denial of service. CVE-2012-3793 has been assigned to this vulnerability. A CVSS v2 base score of 4.3 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:N/I:N/A:P).

UNHANDLED EXCEPTION:  It is possible to terminate the server because of an unhandled exception. Exploitation of this vulnerability will cause a denial-of-service condition. CVE-2012-3794 has been assigned to this vulnerability. A CVSS v2 base score of 4.3 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:N/I:N/A:P).

INVALID MEMORY READ ACCESS:  An attacker may crash the server by copying a large amount of memory from the target system. CVE-2012-3795 and CVE-2012-3796 have been assigned to these vulnerabilities. A CVSS v2 base score of 5.8 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:P/I:N/A:P).

MEMORY CORRUPTIONS:  An attacker is able to write more data to a memory location than is allocated due to a lack of size checks. This will likely result in a system crash. CVE-2012-3797 has been assigned to this vulnerability. A CVSS v2 base score of 4.3 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:N/I:P/A:N).

EXPLOITABILITY:  These vulnerabilities can be remotely exploited.

EXISTENCE OF EXPLOIT:  Public exploits are known to target these vulnerabilities.

DIFFICULTY:  An attacker with a moderate skill level would be able to exploit these vulnerabilities.

MITIGATION

Digital Electronics has released patch modules on its Web site at the following location:

The patch module prevents the Pro-Server EX and WinGP from an attack using inaccurate packets.

Digital Electronics recommends the following in addition to applying the patch:

• Review all network configurations for control system devices.
• Remove unnecessary PCs from control system networks.
• Remove unnecessary applications from control system networks.

The full ICS-CERT advisory can be found here:

Source:  http://www.us-cert.gov/control_systems/pdf/ICSA-12-179-01.pdf

Possibly Related Articles:
9946
SCADA
Industrial Control Systems
SCADA Vulnerabilities Exploits Infrastructure ICS-CERT Memory Corruption Pro-face Pro-Server EX Integer Overflow Digital Electronics
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.