U.S. Flag Official website of the Department of Homeland Security
U.S. Department of Homeland Security Seal. ICS-CERT. Industrial Control Systems Cyber Emergency Response Team.
TLP:WHITE

Advisory (ICSA-12-137-02)

Advantech Studio ISSymbol ActiveX Buffer Overflow

Original release date: May 16, 2012 | Last revised: January 23, 2014

Legal Notice

All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.



Overview

This advisory is a follow-up to the original alert titled ICS-ALERT-11-131-01 - Advantech Studio ISSymbol ActiveX Buffer Overflow Vulnerabilities that was published May 11, 2011, on the ICS-CERT web page.

A remote attacker could exploit these vulnerabilities; publicly available exploit code is known to exist that targets these vulnerabilities.

Independent researcher Dmitriy Pletnev of Secunia has identified multiple buffer overflow vulnerabilities in the Advantech Studio product. Advantech has produced a new version that mitigates these vulnerabilities. Mr. Pletnev has tested the new version to validate that it resolves the vulnerabilities.

Affected Products

The researcher reported that these vulnerabilities affect the following versions of Advantech Studio:

  • Advantech ISSymbol ActiveX Control 61.6.0.0, and
  • Advantech Studio 6.1 SP6 Build 61.6.01.05.

Impact

Successful exploitation of these vulnerabilities could allow an attacker to arbitrarily execute code.

Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their environment, architecture, and product implementation.

Background

Advantech Studio is a collection of automation tools that includes components required to develop human-machine interfaces (HMIs) and supervisory control and data acquisition (SCADA) system applications that run on various Windows platforms. According to Advantech, Advantech Studio is currently being used at nearly 2,000 installations worldwide. Advantech Studio can be used in a variety of applications including remote utility management, building automation, water and wastewater management, and factory automation.

Vulnerability Characterization

Vulnerability Overview

Buffer Overflows

Boundary errors when processing any of four different properties can be exploited to cause buffer overflows, which in turn can allow execution of arbitrary code.

CVE-2011-0340 has been assigned to these vulnerabilities.

Vulnerability Details

Exploitability

These vulnerabilities are remotely exploitable.

Existence of Exploit

Public exploits are known to target these vulnerabilities.

Difficulty

An attacker with a low skill level can create the denial of service whereas it would require a more skilled attacker to execute arbitrary code.

Mitigation

Advantech recommends that users of Advantech Studio Version 6.1 and earlier versions upgrade to the new version, Advantech Studio 7.0. Customers should contact their authorized Advantech distributor or their Advantech account manager to discuss the transition plan to Advantech Studio 7.0. Advantech further recommends that users affected by this announcement read the customer notice found at the following link:
http://www.advantechdirect.com/eMarketingPrograms/AStudio_Patch/AStudio7.0_Patch_Final.htm.

ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.

  • Minimize network exposure for all control system devices. Critical devices should not directly face the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.

The Control Systems Security Program (CSSP) also provides a section for control system security recommended practices on the CSSP web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.


Contact Information

For any questions related to this report, please contact the NCCIC at:

Email: NCCICCUSTOMERSERVICE@hq.dhs.gov
Toll Free: 1-888-282-0870

For industrial control systems cybersecurity information:  http://ics-cert.us-cert.gov 
or incident reporting:  https://ics-cert.us-cert.gov/Report-Incident?

The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top