Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Multiple flaws identified in industrial control products

Researchers have identified a number of vulnerabilities in industrial control systems, warned ICS-CERT
Researchers have identified a number of vulnerabilities in industrial control systems, warned ICS-CERT

Invensys Wonderware Information Server provides industrial information content, including process graphics, trends, and reports, and the server’s Web Client provides access to reports, analysis, or writeback capabilities to processes. The versions affected are 4.0 SP1 and 4.5 for portal and client.

The flaws, for which Invensys has issued patches, include cross-site scripting and SQL injection vulnerabilities, as well as a security access permission problem.

ICS-CERT explained that at an attacker with a low skill level could undertake a denial-of-service attack, but it would require a more skilled attacker to execute arbitrary code.

In a separate announcement, ICS-CERT said that there two buffer overflow vulnerabilities were identified in the WWCabFile component of the Wonderware System Platform, which is used by multiple applications that run on the platform. Researcher Celil Unuver from SignalSec discovered the vulnerabilities.

Affected products are: Wonderware Application Server 2012 and all prior versions, Foxboro Control Software Version 3.1 and all prior versions, InFusion CE/FE/SCADA 2.5 and all prior versions, Wonderware Information Server 4.5 and all prior versions, ArchestrA Application Object Toolkit 3.2 and all prior versions, and InTouch 10.0 to 10.5 only (earlier versions of InTouch are not affected).

Invensys has also issued patches for these vulnerabilities, ICS-CERT said.
 

What’s Hot on Infosecurity Magazine?