[NEWS] Wonderware SuiteLink Denial of Service Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Wonderware SuiteLink Denial of Service Vulnerability
------------------------------------------------------------------------


SUMMARY

WonderWare is supplier of industrial automation and information software
solutions. According to the company's website [1]: "one third of the
world's plants run Wonderware software solutions. Having sold more than
500,000 software licenses in over 100,000 plants worldwide, Wonderware has
customers in virtually every global industry - including Oil & Gas, Food &
Beverage, Utilities, Pharmaceuticals, Electronics, Metals, Automotive and
more".

WonderWare offers software solutions in the areas of Production and
Performance Management, and Geographical SCADA and Supervisory HMI
(Human-Machine Interface). Several of these solutions running on Microsoft
Windows Operating Systems use a common software component, the SuiteLink
Service, to implement communications between components using a
proprietary protocol over TCP/IP networks.

A vulnerability was found in Wonderware SuiteLink Service ('slssvc.exe')
that could allow an un-authenticated remote attacker with the ability to
connect to the SuiteLink service TCP port to shutdown the service
abnormally by sending a malformed packet. Exploitation of the
vulnerability for remote code execution has not been proven, but it has
not been eliminated as a potential scenario.

DETAILS

Vulnerable Systems:
* WonderWare SuiteLink version prior to 2.0 Patch 01
* WonderWare InTouch version 8.0

Vendor Information, Solutions and Workarounds
The vendor has made a technical document available to registered customers
detailing how to address this issue [2]. Additionally, an extensive guide
detailing how to deploy and secure Industrial Control Systems is available
at the vendor's support site [3].

Vendor Statement:
Wonderware, a business unit of Invensys, is committed to collaborate with
our customers and industry standards committees to provide secure
applications, security best practices, deployment guidelines, tools and
prescriptive guidance for maintaining a secure environment. A potential
denial of service issue on an insecure network which could have been
instigated by a hostile internal user has been addressed in SuiteLink 2.0
Patch 01. More details can be found in Wonderware's Tech Alert 106 posted
on our website along with the Patch. (Please note that access to the Tech
Alert and the Patch will require that you register on our web site.)
Wonderware users interested in upgrading should contact Wonderware or
their local distributor.

Technical Description / Proof of Concept Code
WonderWare SuiteLink is a service that runs on Microsoft Windows Operating
Systems listening for connections on port 5413/tcp.

Un-authenticated client programs connecting to the service can send a
malformed packet that causes a memory allocation operation (a call to
'new()' operator) to fail returning a 'NULL' pointer. Due to a lack of
error-checking for the result of the memory allocation operation, the
program later tries to use the pointer as a destination for memory copy
operation, triggering an access violation error and terminating the
service.

An attacker can trigger the memory allocation operation failure by
specifying an abnormally large length field in a Registration packet. The
following binary excerpt shows where the problem is:


/-----------

text:00405C1B mov esi, [ebp+dwLen] ; Our value from packet
..
text:00405C20 push edi
text:00405C21 test esi, esi ; Check value != 0
..
text:00405C31 push esi ; Alloc with our length
text:00405C32 mov [ebp+var_4], 0
text:00405C39 call operator new(uint); Big values return NULL
text:00405C3E mov ecx, esi ; Memcpy with our length
text:00405C40 mov esi, [ebp+pDestionationAddr]
text:00405C43 mov [ebx+4], eax ; new result is used as dest
text:00405C46 mov edi, eax ; address without checks.
text:00405C48 mov eax, ecx
text:00405C4A add esp, 4
text:00405C4D shr ecx, 2
text:00405C50 rep movsd ; AV due to invalid
text:00405C52 mov ecx, eax ; destination pointer.
text:00405C54 and ecx, 3

-----------/

Report Timeline
2008-01-30: Initial contact email sent by to Wonderware setting the
estimated publication date of the advisory to February 25th.
2008-01-30: Contact email re-sent to Wonderware asking for a software
security contact for Wonderware InTouch.
2008-02-06: New email sent to Wonderware asking for a response and for a
software security contact for Wonderware InTouch.
2008-02-28: Core makes direct phone calls to Wonderware headquarters
informing of the previous emails and requesting acknowledgement of the
notification of a security vulnerability.
2008-02-28: As requested during the phone call, Core re-sends the original
notification mail, stating that an advisory draft describing the
vulnerability is available since January 30th. The publication of the
advisory is re-scheduled to March 24th.
2008-02-28: Vendor acknowledges the email notification.
2008-02-28: Core sends the advisory draft to Wonderware support team.
2008-02-29: Vendor acknowledges reception of the report and states that it
understands the seriousness of the problem and that its development team
will look into it.
2008-02-29: Vendor asks for a copy of the proof of concept code used to
demonstrate the vulnerability.
2008-03-03: Core sends proof-of-concept code written in Python.
2008-03-05: Vendor asks for compiler tools required to use the PoC code.
2008-03-05: Core sends a link to http://www.python.org where a Python
interpreter can be downloaded.
2008-03-10: Vendor requests more information about the network and the
firewall settings used during the tests and inquires about conformance (or
lack thereof) of the tested network with the vendor's security policies
and recommendations.
2008-03-10: Vendor asks for details about how the advisory will be
published.
2008-03-12: Core responds that the workstation running the vulnerable
service had no firewall activated in the tests, but since the Wonderware
SuiteLink Service allows incoming connections it is assumed that the
corresponding port should be allowed to receive inbound session
establishment packets. Core offers the vendor the opportunity to include
additional information in the "vendor information" section of the
advisory. Core explains that the advisory will be published on Core's
website and sent to security mailing lists. Core also reminds the vendor
that the publication date of the advisory has been moved from February
25th to March 24th, and explains that it is willing to discuss a new
publication date on the basis of having concrete plans, with a specific
date for the fix release.
2008-03-21: Vendor indicates that it will be unable to commit to releasing
fixes by March 24th and requests publication of the advisory to be delayed
to create a fix for vulnerable customers. The development team is
investigating how long it will take to make such a fix available. The
vendor indicates that the previous questions about firewall setup referred
to the vendor's recommended practices to secure networks on which their
systems run using firewalls and IPsec.
2008-03-21: Vendor indicates that it is issuing a Tech Alert to its
customers to address the issue. Details about the vulnerability have been
minimized in the Tech Alert. The vendor expresses concern about the level
of detail included in Core's advisory and requests that those details be
removed from the advisory because they give more detail than what is
needed to make people aware of the issue, and may lend itself to use by
people who might want to exploit it. Early estimates put the delivery time
for a fix at approximately three months, and the estimate is not final.
Vendor asks Core to delay any publication until it is able to have a
software fix ready.
2008-03-21: Core asks if the three-month estimate should be assumed to
have begun since the vendor's initial acknowledgement of Core's
notification -- which puts the estimated date for the release of a fix at
the end of May -- or since the date of the last email received (fix
released at the end of June). Core indicates that as of today it still has
no confirmation from the vendor that the vulnerability was replicated and
identified, and that the fix is already under development or testing, and
that is the information needed to re-schedule the publication date. Core
is expecting to receive that information from the vendor, but in the
meantime publication of the advisory is re-scheduled to March 31st 2008.
With regards to the questions and requests about the contents of the
security advisory, Core indicates that Core's technical publications are
aimed at providing legitimate security practitioners worldwide with the
technical details necessary to understand the nature of the security
issues reported; so they are able to devise, by their own judgment, the
risk mitigation approach that fits them the best. For that purpose, Core
believes that it is fundamental that they have precise and accurate
technical details about security issues -- as Wonderware itself has
demonstrated with the request for further technical details and
proof-of-concept code -- and that the whole reporting and disclosure
process is transparent for scrutiny of all interested parties.
2008-03-21: Vendor acknowledges Core's email and provides a copy of the
issued Technical Alert 106 and indicates that will provide more
information by March 25th 2008.
2008-03-26: Vendor confirms to have replicated the issue reported and
indicated that the Tech Alert 106 sent to customers confirms and
recognizes the issue. The Tech Alert also points out what measures can be
taken to mitigate risk. A project has been charter and is in progress to
fix this issue and properly QA the fix. With regard to the contents of
Core's report, it says that stating that a Denial of Service of SuiteLink
communication can be created from a remote node sends a corrupted data
packet seems to be sufficient to make people aware. The vendor says that
is having trouble understanding what the value is in providing specific
detail as to what technical issue is happening and asks for clarification
to understand how this information would benefit organizations. The vendor
acknowledges that the proof of concept code did help to replicate the
issue and that without it, it would have needed more time to identify it
from the report alone. The concern is that the details provided in the
report may give a hacker a specific direction to look for the
vulnerability. Finally, the vendor indicates that will have a better
estimation for the rlease date of a fix by Friday March 28th, 2008.
2008-03-27: Core acknowledges the vendor's email and indicates that is
looking forward to having the new estimate by Friday.
2008-03-28: Vendor informs that it has brought the estimated release date
in to May 2nd. If things go well during QA, they may be able to bring that
date in sooner and vendor requests that Core postpone publication until
that time.
2008-03-28: Core re-schedules publication of the advisory to May 2nd 2008
and says that it considers this date final unless the vendor indicates any
deviation from the current estimate with at least a week in advance of the
publication date, in which case Core would re-evaluate postponing
publication up to 5 working days. With regard to the previous inquiry
about the advisory's content, Core states that the purpose of publishing
security advisories and the rationale used to define their content is
simple and hopefully, once explained, both reasonable and understandable.
Core publishes advisories not only to make users aware of the existence of
a given vulnerability but also to facilitate its mitigation by either
official or any other means that the security community and/or the
vulnerable user population may devise. In order to do so, Core has learned
over the course of 13 years working in this particular field that it is
fundamental to provide precise and accurate technical information about
problems. It is that information that can help other security
practitioners to determine how to prevent exploitation, detect attacks or
to verify that a fix or workaround is actually functioning properly. Thus,
Core believes that it is necessary not only to indicate the mere existence
of the bug, but also to explain how to uniquely identify it in the
vulnerable software (to avoid confusion with all other known bugs or to
differentiate it from others that may be discovered in the future). It is
also important to determine
how the vulnerability could be used by potential attackers so that proper
detection mechanisms can be built, for example firewall rules, or IDS and
antivirus signatures. While Core recognizes that this may provide some
additional data to would-be attackers, clearly it also provides preciously
needed information to the defenders thus, leveling a field on which Core
believes the attackers are initially at advantage.
2008-04-01: Vendor acknowledges previous email and indicates that it will
provide a new update as soon as is available.
2008-04-28: Vendor informs Core that a fix for the vulnerability in
SuiteLink has been released.
2008-04-28: Core acknowledges previous emails and requests an official
vendor statement for the security advisory and more details about the
vulnerable packages and versions.
2008-04-29: Vendor provides an official statement and indicates that
versions of SuiteLink prior to 2.0 patch 01 are vulnerable. Multiple
products use SuiteLink.
2008-04-30: The advisory is ready for release, but the publication date is
re-scheduled to May 5th because May 1st is a public holiday in many
countries (International Workers' Day) and Core does not usually publish
advisories on Fridays (to avoid IT work on weekends).
2008-05-05: CORE-2008-0129 advisory is published.

References:
[1] WonderWare website <http://us.wonderware.com/>
http://us.wonderware.com/
[2] Tech Alert 106
<http://www.wonderware.com/support/mmi/comprehensive/kbcd/html/t002260.htm> http://www.wonderware.com/support/mmi/comprehensive/kbcd/html/t002260.htm
[3] WonderWare Security Manual - Securing Industrial Control Systems
<http://www.wonderware.com/support/mmi/esupport/securitycentral/documents/BestPractices/WWSecGd041707_External.pdf> http://www.wonderware.com/support/mmi/esupport/securitycentral/documents/BestPractices/WWSecGd041707_External.pdf


ADDITIONAL INFORMATION

The information has been provided by <mailto:advisories@xxxxxxxxxxxxxxxx>
CORE Security Technologies Advisories.
The original article can be found at:
<http://www.coresecurity.com/?action=item&id=2187>
http://www.coresecurity.com/?action=item&id=2187



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages
Loading