U.S. Flag Official website of the Department of Homeland Security
U.S. Department of Homeland Security Seal. ICS-CERT. Industrial Control Systems Cyber Emergency Response Team.

Advisory (ICSA-11-279-01)

Advantech OPC Server Buffer Overflow

Original release date: November 04, 2011 | Last revised: October 28, 2013

Legal Notice

All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.



Overview

ICS-CERT originally released Advisory ICSA-11-279-01P on the US-CERT secure Portal on October 06, 2011. This web page release was delayed to allow users time to download and install the update.

Security research and service institute Information and Communication Security Technology Center (ICST) has identified a buffer overflow vulnerability that affects multiple Advantech OPC (OLE for Process Control) Server products. This vulnerability may allow remote code execution and elevated user privileges.

Advantech has produced a new software version that mitigates this vulnerability. ICST has tested the new version and confirmed that it fully resolves this vulnerability.

Affected Products

The following versions of OPC Server are affected:

  • Advantech ADAM OPC Server Versions prior to V3.01.012
  • Advantech Modbus RTU OPC Server Versions prior to V3.01.010
  • Advantech Modbus TCP OPC Server Versions prior to V3.01.010.

Impact

Impact to individual organizations depends on many operational factors that are unique to each organization. The buffer overflow in the Advantech ADAM OPC Server ActiveX control could allow remote attackers to execute arbitrary code and gain/elevate privileges to the currently logged in user. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their environment, architecture, and product implementation.

Background

Advantech is a Taiwanese-based company that manufactures and sells industrial personal computers (PCs), embedded computers, automation controllers, and software to customers in the energy, telecommunications, and transportation industries.

According to Advantech, OPC Server is an interface for industrial device servers. The Advantech ADAM OPC server allows Input/Output (I/O) devices to communicate with a wide range of human-machine interface (HMI)/supervisory control and data acquisition (SCADA) software packages. Any software system with OPC client capabilities can access the Advantech OPC server drivers. The Advantech ADAM OPC Server is installed primarily in East Asia with a few installations in North America.

Vulnerability Characterization

Vulnerability Overview

The buffer overflow in the Advantech ADAM OPC Server ActiveX control might allow remote attackers to execute arbitrary code and gain privileges as the currently logged in user.

CVE-2011-1914 has been assigned to this vulnerability.

Vulnerability Details

Exploitability

This vulnerability is remotely exploitable.

Existence of Exploit

No known exploits specifically target this vulnerability.

Difficulty

An attacker with a low skill level can create a denial of service; however, a more skilled attacker could execute arbitrary code.

Mitigation

Advantech has created a patchb to mitigate this vulnerability. ICST has tested the patch to verify that the vulnerability has been corrected. The patches for the three products can be downloaded at the following location: http://support.advantech.com.tw/support/DownloadSRDetail.aspx?SR_ID=1-2NMHLB.

In addition to applying the patch developed by Advantech, ICS-CERT encourages asset owners to take additional defensive measures to reduce the cybersecurity risk introduced by this vulnerability.

  • Minimize network exposure for all control system devices. Critical devices should not directly face the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.

The Control Systems Security Program (CSSP) also provides a recommended practices section for control systems on the CSSP web page. Several recommended practices are available for reading or downloading, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.


Contact Information

For any questions related to this report, please contact ICS-CERT at:

Email: ics-cert@hq.dhs.gov
Toll Free: 1-877-776-7585
International Callers: (208) 526-0900

For industrial control systems security information and incident reporting: http://ics-cert.us-cert.gov

ICS-CERT continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top