security advisory

[ICS] Digital Canal Structural Wind Analysis Stack Buffer Overflow

ICS-CERT published an advisory on one of my reports this week –
https://ics-cert.us-cert.gov/advisories/ICSA-17-157-02

Vendor: Digital Canal Structural
Equipment: Wind Analysis
Vulnerability: Stack-Based Buffer Overflow

AFFECTED PRODUCTS
The following versions of Wind Analysis, a structural engineering software platform, are affected:
Wind Analysis versions 9.1 and prior.

IMPACT
Successful exploitation of this vulnerability could cause the device that the attacker is accessing to become unavailable, resulting in a denial of service.

Read on for details.

security advisory

[ICS] Trihedral VTScada Multiple Vulnerabilities

ICS-CERT published an advisory on one of my reports this week –
https://ics-cert.us-cert.gov/advisories/ICSA-17-164-01

Vendor: Trihedral
Equipment: VTScada
Vulnerability: Resource Consumption, Cross-Site Scripting, Information Exposure

AFFECTED PRODUCTS

The following versions of VTScada, an HMI SCADA software, are affected:
VTScada Versions prior to 11.2.26

Read on for details.

security advisory

Microsoft Office Patch Installers – Insecure Library loading allow code execution

Microsoft Office Patch Installer Executables – Insecure Library Loading Allows Code Execution
Vulnerability: DLL Hijacking / DLL Side Loading

Abstract

Microsoft Office Patch installer executables are found to be vulnerable to DLL side loading / hijacking issue.

This issue was observed when installing a patch for Microsoft Excel 2013 SP1. Patch installer for Microsoft Word was also tested and confirmed to exhibit the same behavior. Other patch installers may also be vulnerable.

In this writeup, I will document about MS Excel 2013 patch update KB3127968.

Read on for details.

security advisory

Microsoft Machine Debug Manager (mdm) – Insecure Library Loading Allows Code Execution

Microsoft Machine Debug Manager (mdm) DLL side loading vulnerability

ABOUT

The Machine Debug Manager, mdm.exe, is a program that provides support for program debugging.

During the testing, it was found that MDM is affected with DLL hijacking vulnerability. The following conditions are required to exploit MDM DLL hijacking vulnerability:

1. MDM (mdm.exe) is installed
2. Disable script debugging (Other) option is not selected (IE -> Internet Options -> Advanced)

Exploitation could be performed via multiple Windows applications. A few scenarios are documented here.

Read on for details.

security advisory

[ICS] Schneider Electric Wonderware InduSoft Web Studio Privilege Escalation

Schneider Electric Wonderware InduSoft Web Studio – Privilege Escalation

Vendor: Schneider Electric
Equipment: Wonderware InduSoft Web Studio
Vulnerability: Incorrect Default Permissions

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-138-02

Read on for details.

security advisory

[ICS] BLF-Tech LLC VisualView HMI Software – Insecure Library Loading Allows Code Execution

ICS-CERT published an advisory on one of my reports last month –
https://ics-cert.us-cert.gov/advisories/ICSA-17-115-01

BLF-Tech LLC VisualView HMI Insecure Library Loading Allows Code Execution

Vendor: BLF-Tech LLC
Equipment: VisualView HMI Software
Vulnerability: Uncontrolled Search Path Element

security advisory

[ICS] Schneider Electric Interactive Graphical SCADA System Software – Insecure Library Loading Allows Code Execution

ICS-CERT published an advisory on one of my reports last month –
https://ics-cert.us-cert.gov/advisories/ICSA-17-094-01

Schneider Electric Interactive Graphical SCADA System Software – Insecure Library Loading Allows Code Execution

Vendor: Schneider Electric
Equipment: Interactive Graphical SCADA System Software [IGSS]
Vulnerability: Uncontrolled Search Path Element

Read on for details.

security advisory

[ICS] Sierra Wireless Raven XE & XT ICS-CERT advisory published

Back in 2016, I released a report on multiple vulnerabilities in Sierra Wireless Raven XE & XT appliances:
https://ipositivesecurity.com/2016/06/25/ics-sierra-wireless-airlink-raven-xe-industrial-3g-gateway-multiple-vulnerabilities/

In response to it, ICS-CERT had posted an alert here:
https://ipositivesecurity.com/2016/07/01/ics-ics-alert-16-182-01-published-sierra-wireless-raven-xe-xt-vulnerabilities/

After almost an year, Sierra Wireless has resolved this report now, and a formal ICS-CERT advisory has been published:
https://ics-cert.us-cert.gov/advisories/ICSA-17-115-02

CVE-IDs
CVE-2017-6042
CVE-2017-6044
CVE-2017-6046

Read on for more details.

security advisory

[ICS] Satel SenNet ICS-CERT advisory released

Recently, I had posted about multiple security vulnerabilities in SenNet Data Logger appliances and Electricity Meters – https://ipositivesecurity.com/2017/04/07/sennet-data-logger-appliances-and-electricity-meters-multiple-vulnerabilties/

ICS-CERT finally released the advisory on May 11, 2017:
https://ics-cert.us-cert.gov/advisories/ICSA-17-131-02

Read on for more details.

security advisory

Rapid7 AppSpider vulnerabilities

Recently, I checked out Rapid7’s AppSpider Web Application Testing software. It is a Windows based application, and the demo version is available for anyone to play with.

I found 2 vulnerabilities in AppSpider – DLL Pre-loading & Buffer overflow – which I then reported privately to R7 team. The folks at Rapid7 confirmed my reports and released the CVE-ID# & fixed versions shortly after.

Here’s the writeup from Rapid7 Release Announcement:

* Updated nginx.exe to utilize Microsoft Security Advisory on remote code execution. Windows 7, Windows Server 2008 R2, Windows Vista and Windows Server 2008: KB2533623 must be installed on the target platform. Resolves -CVE-2017-5236
* Resolved buffer over flow crash in the AppSpider command line tool for inputs. Resolves -CVE-2017-5240

Read on for more details.