Sielco Sistemi WinLog Stack Overflow
ICSA： ICS Advisory (ICSA-11-017-02)
Independent researcher Luigi Auriemma reported a stack overflow vulnerability in Version 2.07.00 of the Sielco Sistemi WinLog Lite and Winlog Pro HMI software.
Sielco Sistemi has developed an update (Version 2.07.01) to address this vulnerability. The researcher has verified that the update is effective in correcting this vulnerability.
This vulnerability affects all versions of Sielco Sistemi’s WinLog Lite and WinLog Pro prior to Version 2.07. 00.
Winlog is used in building automation, monitoring systems, and food production in 16 countries around the world. Sielco Sistemi is based in Italy.
While a successful exploit of this vulnerability could lead to arbitrary code execution, the impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their environment, architecture, and product implementation.
Winlog is a SCADA/HMI software package for the supervision of industrial and civil plants. It can connect to PLCs, controllers, motor drives, and I/O modules.
The Winlog system can act as a server by enabling the "Run TCP/IP server" option. The server listens on TCP port 46823. A specially crafted packet from a remote attacker can cause a stack overflow possibly allowing an attacker to execute arbitrary code.
This vulnerability is exploitable from a remote machine.
Existence of Exploit
This exploit code and vulnerability details are publicly available.
A high level of skill is needed to exploit this vulnerability.
ICS-CERT recommends that users of Sielco Sistemi’s Winlog system take the following mitigation steps:
- Update Winlog Lite and WinLog Pro to the latest Version (2.07.01).
For additional information, customers can contact Sielco Sistemi’s support.
- Minimize network exposure for all control system devices. Critical devices should not directly face the Internet. Control system networks and remote devices should be located behind firewalls and be isolated from the business network. If remote access is required, secure methods such as Virtual Private Networks (VPNs) should be used.
Organizations should follow their established internal procedures if any suspected malicious activity is observed and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations that proper impact analysis and risk assessment should be performed prior to taking defensive measures.
The Control System Security Program also provides a recommended practices section for control systems on the US-CERT website. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.