[ISN] Denial of service hole in WonderWare SCADA systems

From: InfoSec News (alerts@private)
Date: Thu May 08 2008 - 00:01:42 PDT


Heise Online
7 May 2008

Core Security [1] has discovered a vulnerability in WonderWare [2] 
industrial automation products that are used worldwide in power, 
petrochemicals, food, utilities, pharmaceutical and engineering 
industries. A component of its software for Windows allows attackers to 
remotely crash WonderWare systems using crafted packets.

Under Windows, several WonderWare systems use the SuiteLink] service 
(slssvc.exe) for inter-component communication via a proprietary 
TCP/IP-based protocol. This service listens for incoming network traffic 
on TCP port 5413. According to the Core Security advisory, the service 
returns a null pointer during memory allocation when processing a 
malformed registry packet with an excessively large length field. The 
null pointer is later used as a target for a copy operation, resulting 
in an access violation exception that makes the program crash. Core 
Security does not rule out the possibility that the vulnerability could 
also be exploited to inject and execute arbitrary code, but this has not 
been demonstrated.

WonderWare has fixed the flaw with a software update. Administrators of 
WonderWare systems are advised to download and install version 2.0 patch 
01 of SuiteLink at their earliest convenience. The update is available 
to registered users for download.

See also:

    * Wonderware SuiteLink Denial of Service vulnerability, security 
      advisory by Core Security 

    * Tech Alert 106, vulnerability report by WonderWare (registered 
      users only) 

[1] http://www.coresecurity.com/
[2] http://us.wonderware.com/

Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Thu May 08 2008 - 00:12:13 PDT