Leading global technology company Invensys has released an urgent update to eliminate a number of vulnerabilities from its SCADA system which were uncovered by experts at Positive Research, the research division of Positive Technologies.
The weaknesses in the Invensys Wonderware Information Server (WIS) were found during a security assessment of an industrial control system. If exploited, the vulnerabilities would have allowed hackers to execute malicious code, disclose sensitive information or hijack sessions and authentication credentials.
Wonderware Information Server is a part of the ArchestrA System Platform — a universal operating system for SCADA and HMI systems design. It’s used on critical facilities such as nuclear power stations and chemical plants.
The vulnerabilities are classified as CVE-2013-0684, CVE-2013-0685, CVE-2013-0686, and CVE-2013-0688. They are reported in WIS 4.0 SP1SP1 and 4.5- Portal, as well as WIS 5.0- Portal.
“The vulnerabilities were revealed in the course of auditing real industrial control systems operating on critical infrastructural assets. We give credit to Invensys for responding immediately to our notification and developing and testing of the corresponding update,” said Sergey Gordeychik, Positive Technologies EVP Product Strategy.
Checks for these vulnerabilities in Wonderware Information Server, Invensys ArchestrA System Platform, and Wonderware Intouch have been added to the knowledge base of the MaxPatrol Vulnerability and Compliance Management System from Positive Technologies. A patch to eliminate these weaknesses can also be downloaded from the Invensys website.
It’s not the first time Positive Research has uncovered vulnerabilities in software from Invensys. In May 2013 the company released a patch for its Win-XML Exporter after fiinding a weakness that would allow attackers to influence the availability and confidentiality of data processed in the system.