The Takebishi Electric DeviceXplorer MODBUS OPC server has security vulnerabilities, allowing an attacker with access to the OPC interface to arbitrarily read and write the process memory, potentially leading to the execution of attacker-provided code.
8cb33ba0ad4a128adf09db399a145e6e72c12a1b7920968c282f9e760c06697d
Multiple vulnerabilities in Takebishi Electric DeviceXplorer MODBUS OPC
server
============================================================================
==
OPC servers provide a standard way to interoperate automation and control
systems, bridging data from several industrial protocols such as DNP3,
MODBUS, etc. to a more standard data access interface. They are often used
in SCADA systems to consolidate network device information in a single
point; as such OPC servers are usually considered critical applications.
Takebishi Electric commercialises an OPC Server ("Takebishi.MODBUS.1"), more
information is available at http://www.takebishi.co.jp/.
ANALYSIS
--------
The product presents various security vulnerabilities, allowing an attacker
with access to the OPC interface to arbitrarily read and write the process
memory, leading to the execution of attacker-provided code.
The vulnerabilities reside in the server implementation of the following OPC
Data Access interface methods:
* IOPCServer::RemoveGroup
By providing specially crafted OPC handles the attacker can force the server
to access arbitrary memory in read/write operations which can be leveraged
to execute arbitrary code in the OPC server.
VULNERABLE VERSIONS
-------------------
The vulnerability has been verified to be present in the following version
of the server:
Server name: DeviceXPlorer MODBUS OPC Server
OPC Server CLSID: {31A50D31-56E5-4BC2-9FDB-F55E7AD3854E}
ProgID: Takebishi.Modbus.1
Version: 3.11.6
OS: Windows XP
The vulnerability was discovered during an OPC server group assessment for a
customer and is not known to be publicly exploited.
WORKAROUND
----------
The vendor has fixed the vulnerability and published an updated version.
ADDITIONAL INFORMATION
----------------------
This vulnerability was found and researched by:
Lluis Mora <llmora@neutralbit.com>
Xavier Panadero <xpanadero@neutralbit.com>
You can find the latest version of this advisory at:
http://www.neutralbit.com/
Disclosure timeline:
12/Jan/2006: Vendor notified
12/Jan/2006: US-CERT notified
16/Mar/2006: Vendor published public advisory
21/Mar/2006: Neutralbit advisory published
References:
CERT: US-CERT Vulnerability Note VU#926551
CVE: CVE-2007-1319
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed