CVE-2018-10620

Vulnerability

The vulnerability is a stack-based buffer overflow in the TCPServer.dll component of AVEVA InduSoft Web Studio v8.1 and v8.1SP1, and InTouch Machine Edition v2017 8.1 and v2017 8.1 SP1 [1][2]. When processing command 81, the server reads a string length from the user. If the length is 0xffffffff, adding one for a null terminator causes an integer wrap to zero, bypassing the check that would normally allocate heap memory. The server then attempts to copy a large amount of data into a fixed-size stack buffer (lbuf of 0x40 bytes), resulting in a stack buffer overflow [1].

Exploitation

An unauthenticated remote attacker can send a carefully crafted packet to the TCP/IP Server Task (if enabled) during tag, alarm, or event related actions such as read and write [2]. The attacker provides a string length of 0xffffffff, causing the overflow. No authentication or user interaction is required [2]. The attack is remotely exploitable with low skill level [2].

Impact

Successful exploitation allows remote code execution in the context of the affected service. The CVSS v3 base score is 9.8 (Critical) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating full compromise of confidentiality, integrity, and availability [2].

Mitigation

Users of InduSoft Web Studio v8.1 SP1 should apply Hotfix 81.1.00.08. Users of v8.1 should first upgrade to v8.1 SP1 then apply the hotfix. Users of InTouch Machine Edition 2017 v8.1 SP1 should apply Hotfix 81.1.00.08; v8.1 users should upgrade to SP1 then apply the hotfix [2]. The hotfix was released in 2018. No workaround is provided if the hotfix cannot be applied; disabling the TCP/IP Server Task may reduce exposure but is not a complete mitigation [2].