CitectSCADA Stack Overflow Vulnerability
From SCADApedia
Contents |
Vulnerability
The CitectSCADA and CitectFacilities programs contain a remote exploit in an ODBC module that allows for arbitrary code execution and DOS attacks. The exploit is performed by sending two packets to the ODBC server. The first packet specifies the buffer size and the second contains the data. The server program then copies data from the second packet to an internal data buffer of fixed size. The receiving internal data buffer is not checked to see if it is sufficiently large to hold the data copied into it. This creates a classic buffer overflow exploit.
This vulnerability was discovered and researched by Sebastian Muniz from the Exploit Writers Team (EWT) at Core Security Technologies.
Affected Systems
An ODBC exposed interface on the following Citect products:
- CitectSCADA v6
- CitectSCADA v7
- CitectFacilities v7
Impact
An unauthenticated, remote attacker can create a denial of service condition or execute arbitrary code on affected systems to gain remote control of the system.
The CitectSCADA application is used to monitor and control PLC's and other field devices. If an attacker gained control of the CitectSCADA workstation or server, he could use this to control the process or to disrupt the ability for an asset owner to monitor and control the process.
Detection
Vulnerability details are available from Core Security. Any CitectSCADA v6, and v7 or CitectFacilites v7 instalation with the OBDC service listening on port 20222 is vulnerable.
Remediation
Disable the ODBC service if it is not used.
A patch is available from the vendor.
