Executive Summary

Summary
Title Invensys Wonderware InTouch creates insecure NetDDE share
Informations
Name VU#138633 First vendor Publication 2007-11-19
Vendor VU-CERT Last vendor Modification 2007-11-27
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Cvss Base Score 9 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#138633

Invensys Wonderware InTouch creates insecure NetDDE share

Overview

Invensys Wonderware InTouch 8.0 creates a NetDDE share that could allow an attacker to run arbitrary programs.

I. Description

Invensys Wonderware InTouch HMI Software is used in Supervisory Control And Data Acquisition (SCADA) systems.

Dynamic Data Exchange (DDE) was designed to allow Microsoft Windows applications to share data. NetDDE is an extension to DDE that was developed by Wonderware. NetDDE allows communications with local DDE applications and with remote NetDDE agents using NetBIOS. NetDDE is not supported in Windows Vista, but is included in Windows NT, 2000, XP, and Server 2003.

InTouch 8.0 creates a universal NetDDE share. The permissions applied to the share may allow a remote attacker to execute arbitrary programs. Windows access permissions apply to NetDDE connections, however if an attacker can obtain valid credentials, or possibly if anonymous connections are enabled, the attacker could connect to the NetDDE share and execute programs.

II. Impact

A remote attacker may be able to execute any application that accepts NetDDE connections.

III. Solution

Upgrade

This issue has been addressed in Wonderware InTouch version 9 and later. Wonderware administrators with active support contracts who do not want to upgrade can get an updated version of Wonderware 8.0. Wonderware Tech Alert 98 contains information about obtaining fixed software. Wonderware administrators can also contact Wonderware for more information about obtaining updates.

Restrict access

Per Micrososoft Security Bulletin MS04-031 (which describes an unrelated NetDDE vulnerability in Windows), blocking the below ports at perirmeter firewalls can prevent remote NetDDE connections.

  • Ports 135/udp, 137/udp, 138/udp, 445/udp, 135/tcp, 139/tcp, 445/tcp, and 593/tcp
  • All unsolicited inbound traffic on ports greater than 1024
  • Any other specifically configured RPC port

Systems Affected

VendorStatusDate Updated
Invensys Vulnerable27-Nov-2007

References


http://us.wonderware.com/aboutus/whoweare/contactus.htm
http://pacwest.wonderware.com/web/News/NewsDetails.aspx?NewsThreadID=2&NewsID=201804
http://blogs.msdn.com/nickkramer/archive/2006/04/18/577962.aspx
http://msdn2.microsoft.com/en-us/library/ms648711.aspx
http://support.microsoft.com/default.aspx?scid=kb;en-us;125703
http://lists.immunitysec.com/pipermail/dailydave/2004-October/001014.html
http://www.digitalbond.com/index.php/2007/11/19/wonderware-intouch-80-netdde-vulnerability-s4-preview/

Credit

This vulnerability was reported by Neutralbit with assistance from Digital Bond.

This document was written by Ryan Giobbi.

Other Information

Date Public11/19/2007
Date First Published11/19/2007 10:38:25 AM
Date Last Updated11/27/2007
CERT Advisory 
CVE Name 
Metric0.57
Document Revision22

Original Source

Url : http://www.kb.cert.org/vuls/id/138633

CAPEC : Common Attack Pattern Enumeration & Classification

Id Name
CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs
CAPEC-17 Accessing, Modifying or Executing Executable Files
CAPEC-60 Reusing Session IDs (aka Session Replay)
CAPEC-61 Session Fixation
CAPEC-62 Cross Site Request Forgery (aka Session Riding)
CAPEC-122 Exploitation of Authorization
CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels
CAPEC-232 Exploitation of Privilege/Trust
CAPEC-234 Hijacking a privileged process

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-264 Permissions, Privileges, and Access Controls

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Open Source Vulnerability Database (OSVDB)

Id Description
42398 Invensys Wonderware InTouch NetDDE Share Permission Weakness Remote Privilege...

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2013-05-11 12:26:30
  • Multiple Updates