Executive Summary

Summary
Title Invensys Wonderware InBatch and Foxboro I/A Series Batch database lock manager service (lm_tcp) buffer overflow vulnerability
Informations
Name VU#647928 First vendor Publication 2010-12-15
Vendor VU-CERT Last vendor Modification 2010-12-16
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#647928

Invensys Wonderware InBatch and Foxboro I/A Series Batch database lock manager service (lm_tcp) buffer overflow vulnerability

Overview

The lm_tcp service in Invensys Wonderware InBatch and Foxboro I/A Series Batch contains a buffer overflow vulnerability when coping string data into a buffer in a fixed structure.

I. Description

From the Invensys Wonderware website: "InBatch is powerful software that can be used in the most complex batching processes that require a high level of flexibility." Wonderware InBatch runs a database lock manager (lm_tcp)service that listens (manually or automatically during the launching of "Environment Display/Manager") on port 9001. Foxboro I/A Series Batch includes an application with the same service. The service in both products is vulnerable to a buffer overflow when copying a string into a buffer of 150 bytes which is part of a fixed structure.

II. Impact

An attacker can cause the device to crash and may be able to execute arbitrary code.

III. Solution

Upgrade

According to Invensys, users of Wonderware InBatch 8.1 – InBatch Server (all versions), Wonderware InBatch 9.0 – InBatch Server (all versions), I/A Series Batch 8.1 – I/A Series Batch Server (all versions) should apply the vendor security update.

Restrict Access

Enable firewall rules to restrict access for port 9001/tcp to only trusted sources.

Vendor Information

VendorStatusDate NotifiedDate Updated
Invensys Affected2010-12-15

References

http://global.wonderware.com/EN/Pages/WonderwareInBatchSoftware.aspx
http://aluigi.org/adv/inbatch_1-adv.txt
http://www.us-cert.gov/control_systems/pdf/ICSA-10-348-01.pdf
http://iom.invensys.com/EN/Pages/IOM_CyberSecurityUpdates.aspx
http://secunia.com/advisories/42528

Credit

This vulnerability was publicly disclosed by Luigi Auriemma.

This document was written by Michael Orlando.

Other Information

Date Public:2010-12-08
Date First Published:2010-12-15
Date Last Updated:2010-12-16
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Severity Metric:24.41
Document Revision:25

Original Source

Url : http://www.kb.cert.org/vuls/id/647928

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1
Application 2

Open Source Vulnerability Database (OSVDB)

Id Description
69936 Invensys Wonderware InBatch lm_tcp Service Crafted TCP Request Remote Overflo...

Wonderware InBatch is prone to an overflow condition. The lm_tcp service fails to properly sanitize user-supplied input resulting in a buffer overflow. With a specially crafted request to port 9001, a remote attacker can cause a denial of service, and possibly execute arbitrary code.