U.S. Flag Official website of the Department of Homeland Security
U.S. Department of Homeland Security Seal. ICS-CERT. Industrial Control Systems Cyber Emergency Response Team.

Advisory (ICSA-11-017-02)

Sielco Sistemi WinLog Stack Overflow

Original release date: January 17, 2011 | Last revised: January 02, 2014

Legal Notice

All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.



Overview

Independent researcher Luigi Auriemma reported a stack overflow vulnerability in Version 2.07.00 of the Sielco Sistemi WinLog Lite and Winlog Pro HMI software.

Sielco Sistemi has developed an update (Version 2.07.01) to address this vulnerability. The researcher has verified that the update is effective in correcting this vulnerability.

Affected Products

This vulnerability affects all versions of Sielco Sistemi’s WinLog Lite and WinLog Pro prior to Version 2.07. 00.

Impact

Winlog is used in building automation, monitoring systems, and food production in 16 countries around the world. Sielco Sistemi is based in Italy.

While a successful exploit of this vulnerability could lead to arbitrary code execution, the impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their environment, architecture, and product implementation.

Background

Winlog is a SCADA/HMI software package for the supervision of industrial and civil plants. It can connect to PLCs, controllers, motor drives, and I/O modules.

Vulnerability Characterization

Vulnerability Overview

The Winlog system can act as a server by enabling the "Run TCP/IP server" option. The server listens on TCP port 46823. A specially crafted packet from a remote attacker can cause a stack overflow possibly allowing an attacker to execute arbitrary code.

Vulnerability Details

Exploitability

This vulnerability is exploitable from a remote machine.

Existence of Exploit

This exploit code and vulnerability details are publicly available.

Difficulty

A high level of skill is needed to exploit this vulnerability.

Mitigation

ICS-CERT recommends that users of Sielco Sistemi’s Winlog system take the following mitigation steps:

Organizations should follow their established internal procedures if any suspected malicious activity is observed and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations that proper impact analysis and risk assessment should be performed prior to taking defensive measures.

The Control System Security Program also provides a recommended practices section for control systems on the US-CERT website. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.


Contact Information

For any questions related to this report, please contact ICS-CERT at:

Email: ics-cert@hq.dhs.gov
Toll Free: 1-877-776-7585
International Callers: (208) 526-0900

For industrial control systems security information and incident reporting: http://ics-cert.us-cert.gov

ICS-CERT continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top