|
|
Rule: 1111647
| GEN:SID |
1:1111647 |
| Message |
On_FC_BINFILE_FCS_*FILE Buffer Overflow 5 |
| Rule |
alert tcp any any -> any 910 (msg:”ETPRO SCADA RealFlex RealWin SCADA On_FC_BINFILE_FCS_*FILE Buffer Overflow 5″; flow:to_server,established; isdataat:270; content:”|10 23 54 67|”; offset:0; byte_test:4,>,256,0,relative,little; content:”|10 00 0B 00|”; distance:6; within:4; classtype:attempted-user; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; sid:1111647; rev:1;) |
| Summary |
An attacker with logical access can send a malformed On_FC_BINFILE_FCS_*FILE packet to cause the application to crash. |
| Impact |
Denial of service and possible ability to run arbitrary code. |
| Detailed Information |
RealWin is a HMI application used in ICS.This attack is a stack overflow. |
| Affected Systems |
RealFlex Technologies Ltd. RealWin Build 2.1.10 and prior. |
| Attack Scenarios |
An attacker with IP connectivity and exploit code launches the attack. The service will crash, and it may allow the attacker to run arbitrary code on the system. |
| Ease of Attack |
Simple. There is exploit code available. |
| False Positives |
None known. |
| False Negatives |
None known |
| Corrective Action |
Apply the 2.1.11 vendor patch and investigate where the attack came from. |
| Contributors |
Dale Peterson |
|
