The guys at Neutralbit in Barcelona continue to do great work. This time it is Xavi Panadero in the lead with assistance from Lluis Mora.

During a project they identified a serious vulnerability in Wondware’s Intouch Version 8.0 that was disclosed by US-CERT today. The default configuration settings of NetDDE allow an application with Net DDE support to be remotely invoked on the system. The permissions applied to the share are “Full Control” for the “Everybody” group. Any user with access to this share can use these permissions to execute commands on the remote server.

NetDDE is a protocol that exchanges information between applications. It is not strictly speaking a control system protocol, but it is used extensively in control system applications.

The US-CERT disclosure discusses updating to Version 9.0 or 10.0 to mitigate the problem and blocking the usual Microsoft ports at the firewall. Another option if you are stuck on Version 8.0 is to review and restrict the security permissions of the universal share using DDESHARE.EXE.

We are co-authoring a S4 paper with Xavi on NetDDE vulnerabilities. The paper includes discussions on NetDDE security, the NetDDE vulnerability and a proof of concept exploit tool developed by Neutralbit that demonstrates the seriousness of this vulnerability. The second part of the paper will create a threat model around this vulnerability to introduce the power of thread modeling to the S4 audience.

This paper is Session 2 in the S4 program, and the description there was intentionally a bit vague while we were awaiting US-CERT vulnerability disclosure.

Stay tuned for my disclosure rant on this vulnerability tomorrow.