ICS-CERT: Certec WebMI2ADS Multiple Vulnerabilities

Tuesday, April 17, 2012

Infosec Island Admin

7fef78c47060974e0b8392e305f0daf0

ICS-CERT released an alert titled “ICS-ALERT-11-283-02 – Certec atvise webMI Multiple Vulnerabilities” to the ICS-CERT web page on October 10, 2011.

Independent researcher Luigi Auriemma has identified multiple vulnerabilities in Certec’s WebMI2ADS application.

These vulnerabilities and proof of concept code were disclosed without coordination with ICS-CERT, the vendor, or any other coordinating entity. Certec has produced an update that resolves these vulnerabilities. Mr. Auriemma has verified that the update resolves the identified vulnerabilities.

Certec webMI2ADS – All versions prior to Version 2.0.2 are affected.

IMPACT

Successful exploitation of these vulnerabilities may allow an attacker to cause a denial of service (DoS) or could lead to data leakage.

Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.

BACKGROUND

Certec EDV GmbH is an Austrian-based company with regional partners in Germany, Switzerland, Italy, and Israel.

Certec webMI2ADS is the server component of a browser-based HMI system. WebMI2ADS is used primarily in factory and building automation.

VULNERABILITY OVERVIEW

DIRECTORY TRAVERSAL: The web server in webMI does not implement sufficient measurers to prevent reading files from an unauthorized directory. An attacker could exploit this vulnerability by sending a specially crafted request to the web server on Port 80/TCP. A successful attack may result in data leakage. CVE-2011-4880 has been assigned to this vulnerability. A CVSS V2 base score of 5.0 has also been assigned.

NULL POINTER: The web server in webMI does not implement checks on a return value from a function . An attacker could exploit this vulnerability by sending a specially crafted request to the web server on Port 80/TCP. A successful attack would result in a DoS condition. CVE-2011-4881 has been assigned to this vulnerability. A CVSS V2 base score of 5.0 has also been assigned.

TERMINATION OF THE SOFTWARE: An attacker could use a non-authenticated command via the web interface on Port 80/TCP to shut down the application. A successful attack would result in a DoS condition. CVE-2011-4882 has been assigned to this vulnerability. A CVSS V2 base score of 5.0 has also been assigned.

RESOURCES CONSUMPTION: The web server in webMI does not implement checks for invalid values in an HTTP request. An attacker could exploit this vulnerability by sending a specially crafted request to the web server on Port 80/TCP. Successful attack would result in a DoS condition. CVE-2011-4883 has been assigned to this vulnerability. A CVSS V2 base score of 5.0 has also been assigned.

EXPLOITABILITY: These vulnerabilities are remotely exploitable.

EXISTENCE OF EXPLOIT: Public exploits are known to target these vulnerabilities.

DIFFICULTY: An attacker with a low skill level may cause a DoS condition or access sensitive data.

MITIGATION

Certec has released version 2.0.2 of webMI2ADS which fixes these vulnerabilities. Customers can download version 2.0.2 of webMI2ADS at: http://www.atvise.com/en/atvise-downloads/products

Users will need to be registered in order to download the new product. Certec and ICS-CERT recommend that owners of vulnerable versions of the webMI2ADS product download and install the updated version as soon as possible.

The full ICS-CERT advisory can be found here: 

Source:  http://www.us-cert.gov/control_systems/pdf/ICSA-12-102-01.pdf

Possibly Related Articles:
12350
SCADA
Industrial Control Systems
Denial of Service SCADA Vulnerabilities Proof of Concept ICS-CERT Industrial Control Systems Directory Traversal Certec WebMI2ADS Null Pointer
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.