Core Security Technologies - CoreLabs Advisory
Title: Wonderware SuiteLink Denial of Service vulnerability
Advisory ID: CORE-2008-0129
Advisory URL: http://www.coresecurity.com/?action=item&id=2187
Date published: 2008-05-05
Date of last update: 2008-05-05
Vendors contacted: Wonderware
Release mode: Coordinated release
WonderWare is supplier of industrial automation and information software solutions. According to the company's website
"one third of the world's plants run Wonderware software solutions. Having sold more than 500,000 software licenses in
over 100,000 plants worldwide, Wonderware has customers in virtually every global industry - including Oil & Gas,
Food & Beverage, Utilities, Pharmaceuticals, Electronics, Metals, Automotive and more".
WonderWare offers software solutions in the areas of Production and Performance Management, and Geographical SCADA and
Supervisory HMI (Human-Machine Interface). Several of these solutions running on Microsoft Windows Operating Systems
use a common software component, the SuiteLink Service, to implement communications between components using a
proprietary protocol over TCP/IP networks.
A vulnerability was found in Wonderware SuiteLink Service (
slssvc.exe) that could allow an
un-authenticated remote attacker with the ability to connect to the SuiteLink service TCP port to shutdown the service
abnormally by sending a malformed packet. Exploitation of the vulnerability for remote code execution has not been proven,
but it has not been eliminated as a potential scenario.
- Systems using WonderWare SuiteLink prior to version 2.0 Patch 01.
- The vulnerability was discovered and tested on a system running WonderWare InTouch 8.0.
- Contact WonderWare for details.
Vendor Information, Solutions and Workarounds
The vendor has made a technical document available to registered customers detailing how to address this issue
Additionally, an extensive guide detailing how to deploy and secure Industrial Control Systems is available at the vendor's support site
Wonderware, a business unit of Invensys, is committed to collaborate with our customers and industry standards
committees to provide secure applications, security best practices, deployment guidelines, tools and prescriptive guidance
for maintaining a secure environment. A potential denial of service issue on an insecure network which could have been
instigated by a hostile internal user has been addressed in SuiteLink 2.0 Patch 01. More details can be found in Wonderware's
Tech Alert 106 posted on our website along with the Patch. (Please note that access to the Tech Alert and the Patch will require
that you register on our web site.) Wonderware users interested in upgrading should contact Wonderware or their local distributor.
This vulnerability was discovered and researched by Sebastian Muniz from the Exploit Writers Team (EWT) at Core Security Technologies.
Technical Description / Proof of Concept Code
WonderWare SuiteLink is a service that runs on Microsoft Windows Operating Systems listening for connections
on port 5413/tcp.
Un-authenticated client programs connecting to the service can send a malformed packet that causes a memory
allocation operation (a call to
new() operator) to fail returning a
pointer. Due to a lack of error-checking for the result of the memory allocation operation, the program later tries
to use the pointer as a destination for memory copy operation, triggering an access violation error and terminating
An attacker can trigger the memory allocation operation failure by specifying an abnormally large length field in
a Registration packet. The following binary excerpt shows where the problem is:
.text:00405C1B mov esi, [ebp+dwLen] ; Our value from packet ... .text:00405C20 push edi .text:00405C21 test esi, esi ; Check value != 0 ... .text:00405C31 push esi ; Alloc with our length .text:00405C32 mov [ebp+var_4], 0 .text:00405C39 call operator new(uint); Big values return NULL .text:00405C3E mov ecx, esi ; Memcpy with our length .text:00405C40 mov esi, [ebp+pDestionationAddr] .text:00405C43 mov [ebx+4], eax ; new result is used as dest .text:00405C46 mov edi, eax ; address without checks. .text:00405C48 mov eax, ecx .text:00405C4A add esp, 4 .text:00405C4D shr ecx, 2 .text:00405C50 rep movsd ; AV due to invalid .text:00405C52 mov ecx, eax ; destination pointer. .text:00405C54 and ecx, 3
- 2008-01-30: Initial contact email sent by to Wonderware setting the estimated publication date of the advisory to February 25th.
- 2008-01-30: Contact email re-sent to Wonderware asking for a software security contact for Wonderware InTouch.
- 2008-02-06: New email sent to Wonderware asking for a response and for a software security contact for Wonderware InTouch.
- 2008-02-28: Core makes direct phone calls to Wonderware headquarters informing of the previous emails and requesting acknowledgement of the notification of a security vulnerability.
- 2008-02-28: As requested during the phone call, Core re-sends the original notification mail, stating that an advisory draft describing the vulnerability is available since January 30th. The publication of the advisory is re-scheduled to March 24th.
- 2008-02-28: Vendor acknowledges the email notification.
- 2008-02-28: Core sends the advisory draft to Wonderware support team.
- 2008-02-29: Vendor acknowledges reception of the report and states that it understands the seriousness of the problem and that its development team will look into it.
- 2008-02-29: Vendor asks for a copy of the proof of concept code used to demonstrate the vulnerability.
- 2008-03-03: Core sends proof-of-concept code written in Python.
- 2008-03-05: Vendor asks for compiler tools required to use the PoC code.
- 2008-03-05: Core sends a link to http://www.python.org where a Python interpreter can be downloaded.
- 2008-03-10: Vendor requests more information about the network and the firewall settings used during the tests and inquires about conformance (or lack thereof) of the tested network with the vendor's security policies and recommendations.
- 2008-03-10: Vendor asks for details about how the advisory will be published.
- 2008-03-12: Core responds that the workstation running the vulnerable service had no firewall activated in the tests, but since the Wonderware SuiteLink Service allows incoming connections it is assumed that the corresponding port should be allowed to receive inbound session establishment packets. Core offers the vendor the opportunity to include additional information in the "vendor information" section of the advisory. Core explains that the advisory will be published on Core's website and sent to security mailing lists. Core also reminds the vendor that the publication date of the advisory has been moved from February 25th to March 24th, and explains that it is willing to discuss a new publication date on the basis of having concrete plans, with a specific date for the fix release.
- 2008-03-21: Vendor indicates that it will be unable to commit to releasing fixes by March 24th and requests publication of the advisory to be delayed to create a fix for vulnerable customers. The development team is investigating how long it will take to make such a fix available. The vendor indicates that the previous questions about firewall setup referred to the vendor's recommended practices to secure networks on which their systems run using firewalls and IPsec.
- 2008-03-21: Vendor indicates that it is issuing a Tech Alert to its customers to address the issue. Details about the vulnerability have been minimized in the Tech Alert. The vendor expresses concern about the level of detail included in Core's advisory and requests that those details be removed from the advisory because they give more detail than what is needed to make people aware of the issue, and may lend itself to use by people who might want to exploit it. Early estimates put the delivery time for a fix at approximately three months, and the estimate is not final. Vendor asks Core to delay any publication until it is able to have a software fix ready.
- 2008-03-21: Core asks if the three-month estimate should be assumed to have begun since the vendor's initial acknowledgement of Core's notification -- which puts the estimated date for the release of a fix at the end of May -- or since the date of the last email received (fix released at the end of June). Core indicates that as of today it still has no confirmation from the vendor that the vulnerability was replicated and identified, and that the fix is already under development or testing, and that is the information needed to re-schedule the publication date. Core is expecting to receive that information from the vendor, but in the meantime publication of the advisory is re-scheduled to March 31st 2008. With regards to the questions and requests about the contents of the security advisory, Core indicates that Core's technical publications are aimed at providing legitimate security practitioners worldwide with the technical details necessary to understand the nature of the security issues reported; so they are able to devise, by their own judgment, the risk mitigation approach that fits them the best. For that purpose, Core believes that it is fundamental that they have precise and accurate technical details about security issues -- as Wonderware itself has demonstrated with the request for further technical details and proof-of-concept code -- and that the whole reporting and disclosure process is transparent for scrutiny of all interested parties.
- 2008-03-21: Vendor acknowledges Core's email and provides a copy of the issued Technical Alert 106 and indicates that will provide more information by March 25th 2008.
- 2008-03-26: Vendor confirms to have replicated the issue reported and indicated that the Tech Alert 106 sent to customers confirms and recognizes the issue. The Tech Alert also points out what measures can be taken to mitigate risk. A project has been charter and is in progress to fix this issue and properly QA the fix. With regard to the contents of Core's report, it says that stating that a Denial of Service of SuiteLink communication can be created from a remote node sends a corrupted data packet seems to be sufficient to make people aware. The vendor says that is having trouble understanding what the value is in providing specific detail as to what technical issue is happening and asks for clarification to understand how this information would benefit organizations. The vendor acknowledges that the proof of concept code did help to replicate the issue and that without it, it would have needed more time to identify it from the report alone. The concern is that the details provided in the report may give a hacker a specific direction to look for the vulnerability. Finally, the vendor indicates that will have a better estimation for the rlease date of a fix by Friday March 28th, 2008.
- 2008-03-27: Core acknowledges the vendor's email and indicates that is looking forward to having the new estimate by Friday.
- 2008-03-28: Vendor informs that it has brought the estimated release date in to May 2nd. If things go well during QA, they may be able to bring that date in sooner and vendor requests that Core postpone publication until that time.
- 2008-03-28: Core re-schedules publication of the advisory to May 2nd 2008 and says that it considers this date final unless the vendor indicates any deviation from the current estimate with at least a week in advance of the publication date, in which case Core would re-evaluate postponing publication up to 5 working days. With regard to the previous inquiry about the advisory's content, Core states that the purpose of publishing security advisories and the rationale used to define their content is simple and hopefully, once explained, both reasonable and understandable. Core publishes advisories not only to make users aware of the existence of a given vulnerability but also to facilitate its mitigation by either official or any other means that the security community and/or the vulnerable user population may devise. In order to do so, Core has learned over the course of 13 years working in this particular field that it is fundamental to provide precise and accurate technical information about problems. It is that information that can help other security practitioners to determine how to prevent exploitation, detect attacks or to verify that a fix or workaround is actually functioning properly. Thus, Core believes that it is necessary not only to indicate the mere existence of the bug, but also to explain how to uniquely identify it in the vulnerable software (to avoid confusion with all other known bugs or to differentiate it from others that may be discovered in the future). It is also important to determine how the vulnerability could be used by potential attackers so that proper detection mechanisms can be built, for example firewall rules, or IDS and antivirus signatures. While Core recognizes that this may provide some additional data to would-be attackers, clearly it also provides preciously needed information to the defenders thus, leveling a field on which Core believes the attackers are initially at advantage.
- 2008-04-01: Vendor acknowledges previous email and indicates that it will provide a new update as soon as is available.
- 2008-04-28: Vendor informs Core that a fix for the vulnerability in SuiteLink has been released.
- 2008-04-28: Core acknowledges previous emails and requests an official vendor statement for the security advisory and more details about the vulnerable packages and versions.
- 2008-04-29: Vendor provides an official statement and indicates that versions of SuiteLink prior to 2.0 patch 01 are vulnerable. Multiple products use SuiteLink.
- 2008-04-30: The advisory is ready for release, but the publication date is re-scheduled to May 5th because May 1st is a public holiday in many countries (International Workers' Day) and Core does not usually publish advisories on Fridays (to avoid IT work on weekends).
- 2008-05-05: CORE-2008-0129 advisory is published.
 WonderWare website http://us.wonderware.com/
 Tech Alert 106 http://www.wonderware.com/support/mmi/comprehensive/kbcd/html/t002260.htm
 WonderWare Security Manual - Securing Industrial Control Systems
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs
and requirements for information security technologies. We conduct our research in several important areas
of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing,
and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions
and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/.
About Core Security Technologies
Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide
develop and maintain a proactive process for securing their networks. The company's flagship product,
CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing.
CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed.
It enables organizations to determine if current security investments are detecting and preventing attacks.
Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration
testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies
can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.
The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs,
and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.