Invensys Wonderware SuiteLink Denial of Service
From SCADApedia
Contents |
Vulnerability
The Wonderware Suitelink program contains a remote denial of service that allows unauthorized users to crash the process and possibly the system.
The vulnerability was found in Wonderware SuiteLink Service (slssvc.exe) and could allow an un-authenticated remote attacker with the ability to connect to the SuiteLink service TCP port to shutdown the service abnormally by sending a malformed packet. Exploitation of the vulnerability for remote code execution has not been proven, but it has not been eliminated as a potential scenario.
Un-authenticated client programs connecting to the service can send a malformed packet that causes a memory allocation operation to fail returning a NULL pointer. Due to a lack of error-checking for the result of the memory allocation operation, the program later tries to use the pointer as a destination for memory copy operation, triggering an access violation error and terminating the service.
An attacker can trigger the memory allocation operation failure by specifying an abnormally large length field in a Registration packet.
This vulnerability was discovered and researched by Sebastian Muniz from the Exploit Writers Team (EWT) at Core Security Technologies.
Affected Systems
Suitelink is not a product; it is a Wonderware-developed device connectivity service supported by many Wonderware products. Other device connectivity services in Wonderware include OPC and DDE.
Wonderware has not identified all of the products and versions this vulnerability will affect. It was found in InTouch 8.x, but Suitelink is still used in the current version, InTouch 10.x. Wonderware users should assume that the vulnerability is in their product until proven otherwise.
Impact
An unauthenticated, remote attacker could crash any system running Wonderware Suitelink.
This exploit can be caused from an unauthenticated remote user from any location where port 5413/tcp of the remote machine is reachable.
Detection
Vulnerability details have been released by Core Security, but at this time only way to check for this vulnerability is to check the version number of your Wonderware Suitelink server.
The vendor claims applying the patch is recommended in all cases, and the part of the patch program determines if the patch is required in the Wonderware product.
Remediation
Invensys has addressed the vulnerability in SuiteLink 2.0 patch 01. Information about the patch can be found on the Wonderware tech alert listed below.
Restrict network access to the server.
It is unclear whether the Suitelink service can be disabled if not used.
