Hole in software to monitor industry systems closed
Security service provider iDefense has published the discovery of a vulnerability in LiveData's Protocol Server that attackers can use to cause the system to crash or, in rare cases, to get control of the system. Because the Protocol Server is used to collect and forward process data in SCADA (Supervisory Control and Data Acquisition) environments, both attack scenarios are probably equally critical. The failure of the system that monitored and controlled the power grids of utility company FirstEnergy was one of the causes of the blackout in 2003, which left 50 million North Americans in the dark.
The current problem in LiveData's server is a flaw in the Protocol Server's integrated Web server, which communicates via port 8080. Search inquiries for WSDL files made to the Web server's SOAP interface cause a heap overflow during which parts of the memory are overwritten. Generally, this only leads to a memory violation that causes the service to crash. However, if an attacker manages to overwrite another process's heap, it may also be possible to execute injected code. Such an attack would, though, require an additional race condition so that the malicious code would launch before the LiveData service dies.
Sadly, this exploit depends on a well-known flaw in the strncpy() function, which accepts an unsigned long integer parameter indicating length of the string to be copied, and trusts it without checking that sufficient memory is really available.
The security advisory says that the hole was found on version 500045 of LiveData's Protocol Server of September. The flaw has apparently been remedied in versions 500062 of the RTI, the Protocol Server, and the Maintenance Server. Version 500069 is the latest one available. iDefense suggests that users filter port 8080 as a workaround.
Additionally US-CERT is reporting another flaw in LiveData's server that can also cause the server or the service to crash. The flaw concerns the handling of specially prepared Connection-Oriented Transport Protocol Packets (COTP). This flaw has reportedly also been remedied since version 500062.
- LiveData Protocol Server Heap Overflow Vulnerability, iDefense's security advisory