[SCADASEC] Fw: [ISN] Denial of service hole in WonderWare SCADA systems

Bob Radvanovsky rsradvan at unixworks.net
Thu May 8 10:04:22 CDT 2008 

More postings about the Wonderware exploit/vulnerability.

-rad

----- Original Message -----
From: InfoSec News [mailto:alerts at infosecnews.org]
To: isn at infosecnews.org
Subject: [ISN] Denial of service hole in WonderWare SCADA systems 


> http://www.heise-online.co.uk/news/Denial-of-service-hole-in-WonderWare-SCADA-systems--/110681
> 
> Heise Online
> 7 May 2008
> 
> Core Security [1] has discovered a vulnerability in WonderWare [2] 
> industrial automation products that are used worldwide in power, 
> petrochemicals, food, utilities, pharmaceutical and engineering 
> industries. A component of its software for Windows allows attackers to 
> remotely crash WonderWare systems using crafted packets.
> 
> Under Windows, several WonderWare systems use the SuiteLink] service 
> (slssvc.exe) for inter-component communication via a proprietary 
> TCP/IP-based protocol. This service listens for incoming network traffic 
> on TCP port 5413. According to the Core Security advisory, the service 
> returns a null pointer during memory allocation when processing a 
> malformed registry packet with an excessively large length field. The 
> null pointer is later used as a target for a copy operation, resulting 
> in an access violation exception that makes the program crash. Core 
> Security does not rule out the possibility that the vulnerability could 
> also be exploited to inject and execute arbitrary code, but this has not 
> been demonstrated.
> 
> WonderWare has fixed the flaw with a software update. Administrators of 
> WonderWare systems are advised to download and install version 2.0 patch 
> 01 of SuiteLink at their earliest convenience. The update is available 
> to registered users for download.
> 
> See also:
> 
>     * Wonderware SuiteLink Denial of Service vulnerability, security 
>       advisory by Core Security 
>      
> http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=2187
> 
>     * Tech Alert 106, vulnerability report by WonderWare (registered 
>       users only) 
>      
> http://www.wonderware.com/support/mmi/comprehensive/kbcd/html/t002260.htm
> 
> [1] http://www.coresecurity.com/
> [2] http://us.wonderware.com/
>

More information about the scadasec mailing list