Advantech Studio Test Web Server Buffer Overflow
All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.
The ICS-CERT has received a report from independent security researcher Jeremy Brown that reveals a stack-based buffer overflow vulnerability in the test web server bundled with Advantech Studio Version 6.1. This web server is intended to be used for testing purposes and should not be used in a production environment. Advantech has verified the problem and has developed a patch to mitigate the vulnerability.
This vulnerability affects the test web server bundled with Advantech Studio Version 6.1 and all previous versions. This does not apply to Windows CE versions.
Advantech recommends using the bundled test web server only for testing purposes. If the bundled test web server is not used in production, the impact of this vulnerability should be minimal.
While a successful exploit of the buffer overflow could allow arbitrary code execution, the specific impact to an individual organization depends on many factors that are unique to the organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their environment, architecture, and product implementation.
Advantech Studio is a collection of automation tools that includes components required to develop Human-Machine Interfaces (HMIs), and Supervisory Control and Data Acquisition System (SCADA) applications that run on various Windows platforms. According to Advantech, Advantech Studio is currently being used in nearly 2,000 installations worldwide. Advantech Studio can be used in a variety of applications including remote utility management, building automation, water and wastewater management, and factory automation.
The Advantech Studio bundled test web server is vulnerable to a stack-based buffer overflow when more than 2048 bytes are written to the fixed-size stack buffer. When sending a request greater than 2048 bytes, the test web server writes past the bounds of the buffer and corrupts memory, allowing the execution of arbitrary code.
This vulnerability is remotely exploitable.
Existence of Exploit
There are currently no publicly known exploits specifically targeting this vulnerability.
An attacker would require an intermediate skill level to exploit this vulnerability.
If the bundled test web server is being used in a production environment, Advantech recommends migrating to Microsoft Internet Information Services (IIS).
Advantech further recommends that users of Advantech Studio take the following mitigation steps:
- Upgrade to the latest version and install the patch. The patch can be applied to Advantech Studio Version 6.1 and any earlier version. Users can get more information and download the patch.
- Minimize network exposure for all control system devices. Control system devices should not directly face the Internet.1
- Control system networks and devices should be located behind firewalls, and be isolated from the business network. If remote access is required, secure methods such as Virtual Private Networks (VPNs) should be utilized.
Organizations should follow their established internal procedures if any suspected malicious activity is observed and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations that proper impact analysis and risk assessment should be performed prior to taking defensive measures.
The Control System Security Program also provides a recommended practices section for control systems on the United States Computer Emergency Readiness Team (US-CERT) web site. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
- 1. ICS-CERT ALERT, http://www.us-cert.gov/control_systems/pdf/ICS-Alert-10-301-01.pdf, website last visited December 3, 2010.
For any questions related to this report, please contact the NCCIC at:
Toll Free: 1-888-282-0870
The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.