The Takebishi Electric DeviceXplorer FA-M3 OPC server has security vulnerabilities, allowing an attacker with access to the OPC interface to arbitrarily read and write the process memory, potentially leading to the execution of attacker-provided code.
52af4b4375b268850339d5b6df527f40e730e7722cacafcf9729cd0917d237b3
Multiple vulnerabilities in Takebishi Electric DeviceXplorer FA-M3 OPC
server
============================================================================
=
OPC servers provide a standard way to interoperate automation and control
systems, bridging data from several industrial protocols such as DNP3,
MODBUS, etc. to a more standard data access interface. They are often used
in SCADA systems to consolidate network device information in a single
point; as such OPC servers are usually considered critical applications.
Takebishi Electric commercialises an OPC Server ("Takebishi.FAM3.1"), more
information is available at http://www.takebishi.co.jp/.
ANALYSIS
--------
The product presents various security vulnerabilities, allowing an attacker
with access to the OPC interface to arbitrarily read and write the process
memory, leading to the execution of attacker-provided code.
The vulnerabilities reside in the server implementation of the following OPC
Data Access interface methods:
* IOPCServer::RemoveGroup
By providing specially crafted OPC handles the attacker can force the server
to access arbitrary memory in read/write operations which can be leveraged
to execute arbitrary code in the OPC server.
VULNERABLE VERSIONS
-------------------
The vulnerability has been verified to be present in the following version
of the server:
Server name: DeviceXPlorer FA-M3 OPC Server
OPC Server CLSID: {3D738EE0-F978-11D3-A7F2-00105A820145}
ProgID: Takebishi.FAM3.1
Version: 3.11.6
OS: Windows XP
The vulnerability was discovered during an OPC server group assessment for a
customer and is not known to be publicly exploited.
WORKAROUND
----------
The vendor has fixed the vulnerability and published an updated version.
ADDITIONAL INFORMATION
----------------------
This vulnerability was found and researched by:
Lluis Mora <llmora@neutralbit.com>
Xavier Panadero <xpanadero@neutralbit.com>
You can find the latest version of this advisory at:
http://www.neutralbit.com/
Disclosure timeline:
12/Jan/2006: Vendor notified
12/Jan/2006: US-CERT notified
16/Mar/2006: Vendor published public advisory
21/Mar/2006: Neutralbit advisory published
References:
CERT: US-CERT Vulnerability Note VU#926551
CVE: CVE-2007-1319
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed