{"vuid":"VU#647928","idnumber":"647928","name":"Invensys Wonderware InBatch and Foxboro I/A Series Batch database lock manager service (lm_tcp) buffer overflow vulnerability","keywords":["wonderware","inbatch","scada"],"overview":"The lm_tcp service in Invensys Wonderware InBatch and Foxboro I/A Series Batch contains a buffer overflow vulnerability when coping string data into a buffer in a fixed structure.","clean_desc":"From the Invensys Wonderware website: \"InBatch is powerful software that can be used in the most complex batching processes that require a high level of flexibility.\" Wonderware InBatch runs a database lock manager (lm_tcp) service that listens (manually or automatically during the launching of \"Environment Display/Manager\") on port 9001. Foxboro I/A Series Batch includes an application with the same service. The service in both products is vulnerable to a buffer overflow when copying a string into a buffer of 150 bytes which is part of a fixed structure.","impact":"An attacker can cause the device to crash and may be able to execute arbitrary code.","resolution":"Upgrade According to Invensys, users of Wonderware InBatch 8.1 – InBatch Server (all versions), Wonderware InBatch 9.0 – InBatch Server (all versions), I/A Series Batch 8.1 – I/A Series Batch Server (all versions) should apply the vendor security update.","workarounds":"Restrict Access Enable firewall rules to restrict access for port 9001/tcp to only trusted sources.","sysaffected":"","thanks":"This vulnerability was publicly disclosed by Luigi Auriemma.","author":"This document was written by Michael Orlando.","public":["http://global.wonderware.com/EN/Pages/WonderwareInBatchSoftware.aspx","http://aluigi.org/adv/inbatch_1-adv.txt","http://www.us-cert.gov/control_systems/pdf/ICSA-10-348-01.pdf","http://iom.invensys.com/EN/Pages/IOM_CyberSecurityUpdates.aspx","http://secunia.com/advisories/42528"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2010-12-10T21:03:16Z","publicdate":"2010-12-08T00:00:00Z","datefirstpublished":"2010-12-15T13:00:30Z","dateupdated":"2010-12-16T12:20:41Z","revision":26,"vrda_d1_directreport":"0","vrda_d1_population":"2","vrda_d1_impact":"4","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"16","cam_population":"10","cam_impact":"15","cam_easeofexploitation":"14","cam_attackeraccessrequired":"20","cam_scorecurrent":"24.4125","cam_scorecurrentwidelyknown":"28.35","cam_scorecurrentwidelyknownexploited":"44.1","ipprotocol":"tcp","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":24.4125,"vulnote":null}