Invensys Wonderware Information Server provides industrial information content, including process graphics, trends, and reports, and the server’s Web Client provides access to reports, analysis, or writeback capabilities to processes. The versions affected are 4.0 SP1 and 4.5 for portal and client.
The flaws, for which Invensys has issued patches, include cross-site scripting and SQL injection vulnerabilities, as well as a security access permission problem.
ICS-CERT explained that at an attacker with a low skill level could undertake a denial-of-service attack, but it would require a more skilled attacker to execute arbitrary code.
In a separate announcement, ICS-CERT said that there two buffer overflow vulnerabilities were identified in the WWCabFile component of the Wonderware System Platform, which is used by multiple applications that run on the platform. Researcher Celil Unuver from SignalSec discovered the vulnerabilities.
Affected products are: Wonderware Application Server 2012 and all prior versions, Foxboro Control Software Version 3.1 and all prior versions, InFusion CE/FE/SCADA 2.5 and all prior versions, Wonderware Information Server 4.5 and all prior versions, ArchestrA Application Object Toolkit 3.2 and all prior versions, and InTouch 10.0 to 10.5 only (earlier versions of InTouch are not affected).
Invensys has also issued patches for these vulnerabilities, ICS-CERT said.