<<< Date Index >>>     <<< Thread Index >>>

CORE-2008-0129 - Wonderware SuiteLink Denial of Service vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

      Core Security Technologies - CoreLabs Advisory
           http://www.coresecurity.com/corelabs/

   Wonderware SuiteLink Denial of Service vulnerability


*Advisory Information*

Title: Wonderware SuiteLink Denial of Service vulnerability
Advisory ID: CORE-2008-0129
Advisory URL: http://www.coresecurity.com/?action=item&id=2187
Date published: 2008-05-05
Date of last update: 2008-05-05
Vendors contacted: Wonderware
Release mode: Coordinated release


*Vulnerability Information*

Class: Denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 28974       
CVE Name: CVE-2008-2005 


*Vulnerability Description*

WonderWare is supplier of industrial automation and information software
solutions. According to the company's website [1]: "one third of the
world's plants run Wonderware software solutions. Having sold more than
500,000 software licenses in over 100,000 plants worldwide, Wonderware
has customers in virtually every global industry - including Oil & Gas,
Food & Beverage, Utilities, Pharmaceuticals, Electronics, Metals,
Automotive and more".

WonderWare offers software solutions in the areas of Production and
Performance Management, and Geographical SCADA and Supervisory HMI
(Human-Machine Interface). Several of these solutions running on
Microsoft Windows Operating Systems use a common software component, the
SuiteLink Service, to implement communications between components using
a proprietary protocol over TCP/IP networks.

A vulnerability was found in Wonderware SuiteLink Service ('slssvc.exe')
that could allow an un-authenticated remote attacker with the ability to
connect to the SuiteLink service TCP port to shutdown the service
abnormally by sending a malformed packet. Exploitation of the
vulnerability for remote code execution has not been proven, but it has
not been eliminated as a potential scenario.


*Vulnerable Packages*

. Systems using WonderWare SuiteLink prior to version 2.0 Patch 01.
. The vulnerability was discovered and tested on a system running
WonderWare InTouch 8.0.


*Non-vulnerable Packages*

. Contact WonderWare for details.


*Vendor Information, Solutions and Workarounds*

The vendor has made a technical document available to registered
customers detailing how to address this issue [2]. Additionally, an
extensive guide detailing how to deploy and secure Industrial Control
Systems is available at the vendor's support site [3].

Vendor Statement:

   Wonderware, a business unit of Invensys, is committed to collaborate
with our customers and industry standards committees to provide secure
applications, security best practices, deployment guidelines, tools and
prescriptive guidance for maintaining a secure environment. A potential
denial of service issue on an insecure network which could have been
instigated by a hostile internal user has been addressed in SuiteLink
2.0 Patch 01. More details can be found in Wonderware's Tech Alert 106
posted on our website along with the Patch. (Please note that access to
the Tech Alert and the Patch will require that you register on our web
site.) Wonderware users interested in upgrading should contact
Wonderware or their local distributor.


*Credits*

This vulnerability was discovered and researched by Sebastian Muniz from
the Exploit Writers Team (EWT) at Core Security Technologies.


*Technical Description / Proof of Concept Code*

WonderWare SuiteLink is a service that runs on Microsoft Windows
Operating Systems listening for connections on port 5413/tcp.

Un-authenticated client programs connecting to the service can send a
malformed packet that causes a memory allocation operation (a call to
'new()' operator) to fail returning a 'NULL' pointer. Due to a lack of
error-checking for the result of the memory allocation operation, the
program later tries to use the pointer as a destination for memory copy
operation, triggering an access violation error and terminating the
service.

An attacker can trigger the memory allocation operation failure by
specifying an abnormally large length field in a Registration packet.
The following binary excerpt shows where the problem is:


/-----------

.text:00405C1B mov  esi, [ebp+dwLen]  ; Our value from packet
...
.text:00405C20 push edi
.text:00405C21 test esi, esi          ; Check value != 0
...
.text:00405C31 push esi               ; Alloc with our length
.text:00405C32 mov  [ebp+var_4], 0
.text:00405C39 call operator new(uint); Big values return NULL
.text:00405C3E mov  ecx, esi          ; Memcpy with our length
.text:00405C40 mov  esi, [ebp+pDestionationAddr]
.text:00405C43 mov  [ebx+4], eax      ; new result is used as dest
.text:00405C46 mov  edi, eax          ; address without checks.
.text:00405C48 mov  eax, ecx
.text:00405C4A add  esp, 4
.text:00405C4D shr  ecx, 2
.text:00405C50 rep  movsd             ; AV due to invalid
.text:00405C52 mov  ecx, eax          ; destination pointer.
.text:00405C54 and  ecx, 3

- -----------/


*Report Timeline*

. 2008-01-30: Initial contact email sent by to Wonderware setting the
estimated publication date of the advisory to February 25th.
. 2008-01-30: Contact email re-sent to Wonderware asking for a software
security contact for Wonderware InTouch.
. 2008-02-06: New email sent to Wonderware asking for a response and for
a software security contact for Wonderware InTouch.
. 2008-02-28: Core makes direct phone calls to Wonderware headquarters
informing of the previous emails and requesting acknowledgement of the
notification of a security vulnerability.
. 2008-02-28: As requested during the phone call, Core re-sends the
original notification mail, stating that an advisory draft describing
the vulnerability is available since January 30th. The publication of
the advisory is re-scheduled to March 24th.
. 2008-02-28: Vendor acknowledges the email notification.
. 2008-02-28: Core sends the advisory draft to Wonderware support team.
. 2008-02-29: Vendor acknowledges reception of the report and states
that it understands the seriousness of the problem and that its
development team will look into it.
. 2008-02-29: Vendor asks for a copy of the proof of concept code used
to demonstrate the vulnerability.
. 2008-03-03: Core sends proof-of-concept code written in Python.
. 2008-03-05: Vendor asks for compiler tools  required to use the PoC code.
. 2008-03-05: Core sends a link to http://www.python.org where a Python
interpreter can be downloaded.
. 2008-03-10: Vendor requests more information about the network and the
firewall settings used during the tests and inquires about conformance
(or lack thereof) of the tested network with the vendor's security
policies and recommendations.
. 2008-03-10: Vendor asks for details about how the advisory will be
published.
. 2008-03-12: Core responds that the workstation running the vulnerable
service had no firewall activated in the tests, but since the Wonderware
SuiteLink Service allows incoming  connections it is assumed that the
corresponding port should be allowed to receive inbound session
establishment packets. Core offers the vendor the opportunity to include
additional information in the "vendor information" section of the
advisory. Core explains that the advisory will be published on Core's
website and sent to security mailing lists. Core also reminds the vendor
that the publication date of the advisory has been moved from February
25th to March 24th, and explains that it is willing to discuss a new
publication date on the basis of having concrete plans, with a specific
date for the fix release.
. 2008-03-21: Vendor indicates that it will be unable to commit to
releasing fixes by March 24th and requests publication of the advisory
to be delayed to create a fix for vulnerable customers. The development
team is investigating how long it will take to make such a fix
available. The vendor indicates that the previous questions about
firewall setup referred to the vendor's recommended practices to secure
networks on which their systems run using firewalls and IPsec.
. 2008-03-21: Vendor indicates that it is issuing a Tech Alert to its
customers to address the issue. Details about the vulnerability have
been minimized in the Tech Alert. The vendor expresses concern about the
level of detail included in Core's advisory and requests that those
details be removed from the advisory because they give more detail than
what is needed to make people aware of the issue, and may lend itself to
use by people who might want to exploit it. Early estimates put the
delivery time for a fix at approximately three months, and the estimate
is not final. Vendor asks Core to delay any publication until it is able
to have a software fix ready.
. 2008-03-21: Core asks if the three-month estimate should be assumed to
have begun  since the vendor's initial acknowledgement of Core's
notification -- which puts the estimated date for the release of a fix
at the end of May -- or since the date of the last email received (fix
released at the end of June). Core indicates that as of today it still
has no confirmation from the vendor that the vulnerability was
replicated and identified, and that the fix is already under development
or testing, and that is the information needed to re-schedule the
publication date. Core is expecting to receive that information from the
vendor, but in the meantime publication of the advisory is re-scheduled
to March 31st 2008. With regards to the questions and requests about the
contents of the security advisory, Core indicates that Core's technical
publications are aimed at providing legitimate security practitioners
worldwide with the technical details necessary to understand the nature
of the security issues reported; so they are able to devise, by their
own judgment, the risk mitigation approach that fits them the best. For
that purpose, Core believes that it  is fundamental that they have
precise and accurate technical details about security issues --  as
Wonderware itself has demonstrated with the request for further
technical details and proof-of-concept code -- and that the whole
reporting and disclosure process is transparent for scrutiny of all
interested parties.
. 2008-03-21: Vendor acknowledges Core's email and provides a copy of
the issued Technical Alert 106 and indicates that will provide more
information by March 25th 2008.
. 2008-03-26: Vendor confirms to have replicated the issue reported and
indicated that the Tech Alert 106 sent to customers confirms and
recognizes the issue.  The Tech Alert also points out what measures can
be taken to mitigate risk. A project has been charter and is in progress
to fix this issue and properly QA the fix. With regard to the contents
of Core's report, it says that stating that a Denial of Service of
SuiteLink communication can be created from a remote node sends a
corrupted data packet seems to be sufficient to make people aware. The
vendor says that is having trouble understanding what the value is in
providing specific detail as to what technical issue is happening and
asks for clarification to understand how this information would benefit
organizations. The vendor acknowledges that the proof of concept code
did help  to replicate the issue and that without it, it would have
needed more time to identify it from the report alone. The  concern is
that the details provided in the report may give a hacker a specific
direction to look for the vulnerability. Finally, the vendor indicates
that will have a better estimation for the rlease date of a fix by
Friday March 28th, 2008.
. 2008-03-27: Core acknowledges the vendor's email and indicates that is
looking forward to having the new estimate by Friday.
. 2008-03-28: Vendor informs that it has brought the estimated release
date in to May 2nd. If things go well during QA, they may be able to
bring that date in sooner and vendor requests that Core postpone
publication until that time.
. 2008-03-28: Core re-schedules publication of the advisory to May 2nd
2008 and says that it considers this date final unless the vendor
indicates any deviation from the current estimate with at least a week
in advance of the publication date, in which case Core would re-evaluate
postponing publication up to 5 working days. With regard to the previous
inquiry about the advisory's content, Core states that the purpose of
publishing security advisories and the rationale used to define their
content is simple and hopefully, once explained, both reasonable and
understandable. Core publishes advisories not only to make users aware
of the existence of a given vulnerability but also to facilitate its
mitigation by either official or any other means that the security
community and/or the vulnerable user population may devise. In order to
do so, Core has learned over the course of 13 years working  in this
particular field that it is fundamental to provide precise and accurate
technical information about problems. It is that information that can
help other security practitioners to determine how to prevent
exploitation, detect attacks or to verify that a fix or workaround is
actually functioning properly. Thus, Core believes that it is necessary
not only to indicate the mere existence of the bug, but also to explain
how to uniquely identify it in the vulnerable software (to avoid
confusion with all other known bugs or to differentiate it from others
that may be discovered in the future). It is also important to determine
how the vulnerability could be used by potential attackers so that
proper detection mechanisms can be built, for example firewall rules, or
IDS and antivirus signatures. While Core recognizes that this may
provide some additional data to would-be attackers, clearly it also
provides preciously needed information to the defenders thus, leveling a
field on which Core believes the attackers are initially at advantage.
. 2008-04-01: Vendor acknowledges previous email and indicates that it
will provide a new update as soon as is available.
. 2008-04-28: Vendor informs Core that a fix for the vulnerability in
SuiteLink has been released.
. 2008-04-28: Core acknowledges previous emails and requests an official
vendor  statement for the security advisory and more details about the
vulnerable packages and versions.
. 2008-04-29: Vendor provides an official  statement and indicates that
versions  of SuiteLink prior to 2.0 patch 01 are vulnerable. Multiple
products use SuiteLink.
. 2008-04-30: The advisory is ready for release, but the publication
date is re-scheduled to May 5th because May 1st is a public holiday in
many countries (International Workers' Day) and Core does not usually
publish advisories on Fridays (to avoid IT work on weekends).
. 2008-05-05: CORE-2008-0129 advisory is published.


*References*

[1] WonderWare website http://us.wonderware.com/
[2] Tech Alert 106
http://www.wonderware.com/support/mmi/comprehensive/kbcd/html/t002260.htm
[3] WonderWare Security Manual - Securing Industrial Control Systems

http://www.wonderware.com/support/mmi/esupport/securitycentral/documents/BestPractices/WWSecGd041707_External.pdf


*About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs/.


*About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.


*Disclaimer*

The contents of this advisory are copyright (c) 2008 Core Security
Technologies and (c) 2008 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.


*GPG/PGP Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIH2eAyNibggitWa0RAtlcAKCgV83vS0v4aLVTRtFmkBsEg0UPXgCdHL4p
si+I8mGJwJuglh+QESsZ9ZE=
=705O
-----END PGP SIGNATURE-----