Advantech OPC Server Buffer Overflow

Overview

ICS-CERT originally released Advisory ICSA-11-279-01P on the US-CERT secure Portal on October 06, 2011. This web page release was delayed to allow users time to download and install the update.

Security research and service institute Information and Communication Security Technology Center (ICST) has identified a buffer overflow vulnerability that affects multiple Advantech OPC (OLE for Process Control) Server products. This vulnerability may allow remote code execution and elevated user privileges.

Advantech has produced a new software version that mitigates this vulnerability. ICST has tested the new version and confirmed that it fully resolves this vulnerability.

Affected Products

The following versions of OPC Server are affected:

• Advantech ADAM OPC Server Versions prior to V3.01.012
• Advantech Modbus RTU OPC Server Versions prior to V3.01.010
• Advantech Modbus TCP OPC Server Versions prior to V3.01.010.

Impact

Impact to individual organizations depends on many operational factors that are unique to each organization. The buffer overflow in the Advantech ADAM OPC Server ActiveX control could allow remote attackers to execute arbitrary code and gain/elevate privileges to the currently logged in user. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their environment, architecture, and product implementation.

Background

Advantech is a Taiwanese-based company that manufactures and sells industrial personal computers (PCs), embedded computers, automation controllers, and software to customers in the energy, telecommunications, and transportation industries.

According to Advantech, OPC Server is an interface for industrial device servers. The Advantech ADAM OPC server allows Input/Output (I/O) devices to communicate with a wide range of human-machine interface (HMI)/supervisory control and data acquisition (SCADA) software packages. Any software system with OPC client capabilities can access the Advantech OPC server drivers. The Advantech ADAM OPC Server is installed primarily in East Asia with a few installations in North America.

Vulnerability Characterization

Vulnerability Overview

The buffer overflow in the Advantech ADAM OPC Server ActiveX control might allow remote attackers to execute arbitrary code and gain privileges as the currently logged in user.

CVE-2011-1914 has been assigned to this vulnerability.

Vulnerability Details

Exploitability

This vulnerability is remotely exploitable.

Existence of Exploit

No known exploits specifically target this vulnerability.

Difficulty

An attacker with a low skill level can create a denial of service; however, a more skilled attacker could execute arbitrary code.

Mitigation

Advantech has created a patchb to mitigate this vulnerability. ICST has tested the patch to verify that the vulnerability has been corrected. The patches for the three products can be downloaded at the following location: http://support.advantech.com.tw/support/DownloadSRDetail.aspx?SR_ID=1-2NMHLB.

In addition to applying the patch developed by Advantech, ICS-CERT encourages asset owners to take additional defensive measures to reduce the cybersecurity risk introduced by this vulnerability.

• Minimize network exposure for all control system devices. Critical devices should not directly face the Internet.
• Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.

The Control Systems Security Program (CSSP) also provides a recommended practices section for control systems on the CSSP web page. Several recommended practices are available for reading or downloading, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.