SCADA Engine BACnet OPC Client Buffer Overflow Vulnerability
All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.
This advisory is a follow-up to ICS-ALERT-10-260-01 SCADA Engine BACnet OPC Client Buffer Overflow, which was published on the ICS-CERT Web site on September 17, 2010.
A buffer overflow vulnerability has been reporteda in SCADA Engine’s BACnet OPC Client. Using a specially crafted malicious file, this vulnerability could allow an attacker to crash the application and execute arbitrary code. A software update is available that resolves this vulnerability.
ICS-CERT is aware that exploit code for this vulnerability is publicly available.b However, ICS-CERT has not received any reports of the vulnerability being exploited in the wild.
ICS-CERT has confirmed the vulnerability in Version 1.0.24. Older versions may also be affected.
SCADA Engine has released a software update, Version 1.0.25, which ICS-CERT has confirmed effectively mitigates the vulnerability.
User interaction is required to successfully exploit this vulnerability. If the vulnerability is exploited successfully, arbitrary execution of code is possible.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their environment, architecture, and product implementation.
SCADA Engine’s BACnet OPC client connects an OPC server to any BACnet compliant device. The client supports OPC Data Access Specification 1.0 and 2.0 and OPC Alarms and Events Specification 1.0. The Client supports the DS-RP-A, DS-RPM-A, DS-WP-A, DS-WPM-A, DS-COV-A, DS-COVU-A, AE-N-A, AE-ACK-A, AE-ASUM-A, AE-ESUM-A, DM-DDB-A and SCHED-A BACnet Interoperability Building Blocks (BIBBs).c
The BACnet OPC Client is supported on the following operating systems: Windows NT 4.0, Windows 2000, and Windows XP.
The BACnet protocol was developed by the American Society of Heating, Refrigerating, and Air-Conditioning Engineers (ASHRAE) and is generally used for building automation and control systems. Building automation products are used to control all aspects of a building, such as:
- Heating, cooling, and ventilation
- Chillers, boilers
- Air handling units
- Security, lighting
- Miscellaneous equipment.d
Security researcher Jeremy Brown discovered a stack-based buffer overflow in SCADA Engine’s BACnet OPC Client. A boundary error exists in WTclient.dll when preparing a status log message. This can be exploited to create a buffer overflow when the client opens a specially crafted malicious file (e.g., *.csv file).
Successful exploitation of this vulnerability results in arbitrary code execution potentially leading to a system compromise. A successful exploit requires that a user open a specially crafted file.
Existence of Exploit
Exploit code for this vulnerability is publicly available.e
Social engineering is required to convince the user to open the malicious file. This increases the difficulty of a successful exploit.
A software update is available and can be downloaded from the SCADA Engine download page.f
Until the update is applied, ICS-CERT recommends industrial control systems owners and operators take extreme caution when opening unexpected or untrusted files, especially *.csv files.
Organizations should follow their established internal procedures if any suspected malicious activity is observed and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations that proper impact analysis and risk assessment should be performed prior to taking defensive measures.
The Control Systems Security Program also provides a recommended practices section for control systems on the US-CERT website. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:
- Do not click web links or open unsolicited attachments in e-mail messages.
- Refer to Recognizing and Avoiding Email Scams for more information on avoiding e-mail scams
- Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
- a. Secunia Advisory SA41466, http://secunia.com/advisories/41466/, website last accessed September 21, 2010
- b. http://packetstormsecurity.org/1009-exploits/bacnet-overflow.py.txt, website last accessed September 21, 2010
- c. BACnet OPC Client, http://www.scadaengine.com/software7.html, website last accessed September 21, 2010
- d. BACnet Software for Building Automation, http://www.scadaengine.com, website last accessed September 21, 2010
- e. http://packetstormsecurity.org/1009-exploits/bacnet-overflow.py.txt, website last accessed September 21, 2010
- f. SCADA Engine Download Page, http://www.scadaengine.com/downloads.html, website last accessed September 21, 2010
For any questions related to this report, please contact the NCCIC at:
Toll Free: 1-888-282-0870
The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.