Buffer overflow and data corruption vulnerabilities, discovered by researcher Kuang-Chun Hung of Taiwan’s Information and Communication Security Technology Center, affect ActiveX components in Siemens Tecnomatix FactoryLink versions V18.104.22.168, V7.5.217 (V7.5 SP2), and V6.6.1 (V6.6 SP1).
The Siemens Tecnomatix FactoryLink software is used for monitoring and controlling industrial processes in variety of industries, including oil and gas, chemicals, food and beverage, and building automation.
The buffer overflow vulnerability is exploited by inputting a long string to a specific parameter, causing a buffer overflow that could allow the execution of arbitrary code. The data corruption vulnerability is exploited by inputting arbitrary data, causing a file save to any specified location on the target system, the ICS-CERT explained.
Siemens has released a patch to its customers to address these vulnerabilities. ICS-CERT has confirmed that the Siemens patch resolves the reported vulnerabilities.
In addition, Microsoft has released a kill bit to address the ActiveX vulnerabilities. Customers of Siemens Tecnomatix FactoryLink should also install the security update referenced in the Microsoft Security Advisory 2562937, the ICS-CERT advised.