1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. Attack: Siemens Tecnomatix FactoryLink

Attack: Siemens Tecnomatix FactoryLink

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature attempts to detect multiple vulnerabilities in Siemens Tecnomatix FactoryLink.

Additional Information

Siemens Tecnomatix FactoryLink is Supervisory Control And Data Acquisition (SCADA) software.

The software is prone to the following vulnerabilities:

1. Stack-based buffer-overflow vulnerabilities affect the logging function of the 'CSService' service. The service listens by default on TCP port 7580. Attackers can exploit these issues by passing an overly large path or filter string through file-related operations such as opcodes 6, 8, and 10.

2. Multiple information-disclosure vulnerabilities affect 'CSService'. Attackers can download arbitrary files through file-related opcodes 6, 8, and 10 to obtain information that may aid in further attacks.

3. A memory-corruption vulnerability affects the 'vrn.exe' service. The service listens by default on TCP port 7579 when a project is started. Specifically, an attacker can exploit this issue with specially crafted text fields in the strings of opcode 10. The strings are delimited by a ';' or a space character within a stack-based buffer, which can allow inputs to manipulate code flow.

4. A stack-based buffer-overflow vulnerability affects the 'vrn.exe' service. Specifically, the issue affects strings in opcode 9.

5. An information-disclosure vulnerability affects the 'vrn.exe' service. Attackers can download arbitrary files through opcode 8 to obtain information that may aid in further attacks.

6. Multiple denial-of-service vulnerabilities affect the 'CSService', 'connsrv', and 'datasrv' services. Specifically, the services are prone to NULL-pointer dereference errors, stack-based memory exhaustion, and unspecified exceptions.

Attackers can leverage these issues to obtain sensitive information, run arbitrary code, or cause a denial of service. Other attacks may also be possible.

Siemens Tecnomatix FactoryLink 8.0.1.1473 is vulnerable. Other versions may also be affected.

Affected

  • Siemens Tecnomatix FactoryLink 8.0.1.1473 is vulnerable. Other versions may also be affected.

Response

Currently we are not aware of any vendor-supplied patches.

Additional References

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube