Pro-Face Pro-Server EX Vulnerabilities
ICSA： ICS Advisory (ICSA-12-179-01)
This advisory is a follow-up to the alert titled “ICS-ALERT-12-137-01 Pro-face Pro-Server EX Vulnerabilities,” that was published May 16, 2012, on the ICS-CERT Web page.
Independent researcher Luigi Auriemma identified multiple vulnerabilities in the Pro-face Pro-Server EX application and publicly released this information without coordination with ICS-CERT, the vendor, or any other coordinating entity known to ICS-CERT.
The four confirmed vulnerabilities are invalid memory access, integer overflow, unhandled exception, and memory corruptions. Each of these vulnerabilities can be exploited remotely, and public exploits are known to target these vulnerabilities.
ICS-CERT has coordinated these vulnerabilities with the development and manufacturing company of Pro-face branded products, Digital Electronics, which has produced an update that resolves these vulnerabilities.
Digital Electronics reports that the vulnerabilities affect the following products.
- data management software Pro-Server EX versions 1.00.00 through 1.30.00, and
- HMI screen editor and logic programming software GP-Pro EX and related software WinGP Versions 2.00.00 through 3.01.100.
Exploitation of the reported vulnerabilities can result in a denial of service (DoS) or arbitrary code execution.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.
Pro-face is HMI-related hardware and software product found in a wide range of industries such as oil and gas, food and beverage, and water and wastewater industries. Pro-face products are used throughout the world, the highest number sold in Japan and the Asian Pacific area. According to its Web site, Pro-Server EX is a data management server that collects information generated by a PLC system through an HMI unit and generates reports. In February 2001, Pro-face America, Inc., a subsidiary of Digital Electronics Corporation, purchased Xycom Automation.
A specially crafted packet can cause an integer overflow that leads to a buffer overflow in an arbitrary memory location. Out-of-bounds memory access may result in the corruption of memory or instructions that may lead to a crash. The execution of arbitrary code may be possible. Other attacks leading to lack of availability may also be possible.
CVE-2012-3792b has been assigned to this vulnerability. A CVSS v2 base score of 5.8 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:P/I:N/A:P).
It is possible to exploit an integer overflow to crash the server which could be considered a denial of service.
CVE-2012-3793d has been assigned to this vulnerability. A CVSS v2 base score of 4.3 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:N/I:N/A:P).
It is possible to terminate the server because of an unhandled exception. Exploitation of this vulnerability will cause a denial-of-service condition.
CVE-2012-3794f has been assigned to this vulnerability. A CVSS v2 base score of 4.3 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:N/I:N/A:P).
Invalid Memory Read Accessg
An attacker may crash the server by copying a large amount of memory from the target system.
CVE-2012-3795h and CVE-2012-3796i have been assigned to these vulnerabilities. A CVSS v2 base score of 5.8 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:P/I:N/A:P).
An attacker is able to write more data to a memory location than is allocated due to a lack of size checks. This will likely result in a system crash.
CVE-2012-3797k has been assigned to this vulnerability. A CVSS v2 base score of 4.3 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:N/I:P/A:N).
These vulnerabilities can be remotely exploited.
Existence of Exploit
Public exploits are known to target these vulnerabilities.
An attacker with a moderate skill level would be able to exploit these vulnerabilities.
Digital Electronics has released patch modules on its Web site at the following location: http://www.pro-face.com/news/2012/0606.html.
The patch module prevents the Pro-Server EX and WinGP from an attack using inaccurate packets.
Digital Electronics recommends the following in addition to applying the patch:
- Review all network configurations for control system devices.
- Remove unnecessary PCs from control system networks.
- Remove unnecessary applications from control system networks.
ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.
- Minimize network exposure for all control system devices. Critical devices should not directly face the Internet.
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
The Control Systems Security Program (CSSP) also provides a section for control systems security recommended practices on the CSSP Web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
- a. CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer, http://cwe.mitre.org/data/definitions/119.html, Web site last accessed June 27, 2012.
- b. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3792, Web site last visited June 27, 2012.
- c. CWE-680: Integer Overflow to Buffer Overflow, http://cwe.mitre.org/data/definitions/680.html, Web site last accessed June 27, 2012.
- d. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3793, Web site last visited June 27, 2012.
- e. CWE-388: Error Handling, http://cwe.mitre.org/data/definitions/388.html, Web site last accessed June 27, 2012.
- f. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3794, Web site last accessed June 27, 2012.
- g. CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer,
- h. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3795, Web site last accessed June 27, 2012.
- i. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3796, Web site last accessed June 27, 2012.
- j. CWE-788: Access of Memory Location After End of Buffer, http://cwe.mitre.org/data/definitions/788.html, Web site last accessed June 27, 2012.
- k. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3797, Web site last accessed June 27, 2012.