var-200805-0133
Vulnerability from variot
The SuiteLink Service (aka slssvc.exe) in WonderWare SuiteLink before 2.0 Patch 01, as used in WonderWare InTouch 8.0, allows remote attackers to cause a denial of service (NULL pointer dereference and service shutdown) and possibly execute arbitrary code via a large length value in a Registration packet to TCP port 5413, which causes a memory allocation failure. Wonderware SuiteLink Crafted by TCP Denial of service when processing packets (DoS) There are vulnerabilities that may be affected. Wonderware SuiteLink Is the protocol used in the control system. Implemented this protocol Wonderware SuiteLink Service(slssvc.exe) Is Windows As a service on 5413/tcp Use to communicate. Wonderware SuiteLink Service(slssvc.exe) In TCP There is a problem with the processing of the packet, and receiving a specially crafted packet can cause a service outage.Denial of service by remote third party (DoS) There is a possibility of being attacked. WonderWare is a supplier of industrial automation and information software solutions. WonderWare has a vulnerability in processing malformed request data, which could be exploited by remote attackers to render services unavailable. WonderWare's SuiteLink service listens for connections on port 5413 / TCP. Non-authenticated client programs connected to the service can send malformed messages, and by calling the new () operator, the memory allocation operation fails and returns a null pointer. Due to the lack of error checking on the results of memory allocation operations, the program may later use null pointers as targets for memory copy operations, which may trigger memory access exceptions and terminate services. An attacker can trigger a memory allocation operation failure by specifying an oversized field in the Registration message. The following binary program segment describes the cause of the vulnerability: .text: 00405C1B mov esi, [ebp + dwLen]; Our value from packet
...
.text: 00405C20 push edi
.text: 00405C21 test esi, esi; Check value! = 0
...
.text: 00405C31 push esi; Alloc with our length
.text: 00405C32 mov [ebp + var_4], 0
.text: 00405C39 call operator new (uint); Big values return NULL
.text: 00405C3E mov ecx, esi; Memcpy with our length
.text: 00405C40 mov esi, [ebp + pDestionationAddr]
.text: 00405C43 mov [ebx + 4], eax; new result is used as dest
.text: 00405C46 mov edi, eax; address without checks.
.text: 00405C48 mov eax, ecx
.text: 00405C4A add esp, 4
.text: 00405C4D shr ecx, 2
.text: 00405C50 rep movsd; AV due to invalid
.text: 00405C52 mov ecx, eax; destination pointer.
.text: 00405C54 and ecx, 3
------------ /. Wonderware SuiteLink is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to crash the affected application, denying service to legitimate users. Given the nature of this issue, the attacker may also be able to execute arbitrary code, but this has not been confirmed. Versions prior to Wonderware SuiteLink 2.0 Patch 01 are vulnerable. UPDATE: References to Wonderware InTouch 8.0 have been removed; that software is not affected by this vulnerability. ----------------------------------------------------------------------
Secunia Network Software Inspector 2.0 (NSI) - Public Beta
The Public Beta has ended. Thanks to all that participated.
PROVIDED AND/OR DISCOVERED BY: Sebastian Muniz, Core Security Technologies
ORIGINAL ADVISORY: Wonderware (requires login): http://www.wonderware.com/support/mmi/comprehensive/kbcd/html/t002260.htm
CORE-2008-0129: http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=2187
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Wonderware SuiteLink Denial of Service vulnerability
Advisory Information
Title: Wonderware SuiteLink Denial of Service vulnerability Advisory ID: CORE-2008-0129 Advisory URL: http://www.coresecurity.com/?action=item&id=2187 Date published: 2008-05-05 Date of last update: 2008-05-05 Vendors contacted: Wonderware Release mode: Coordinated release
Vulnerability Information
Class: Denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 28974
CVE Name: CVE-2008-2005
Vulnerability Description
WonderWare is supplier of industrial automation and information software solutions. According to the company's website [1]: "one third of the world's plants run Wonderware software solutions. Having sold more than 500,000 software licenses in over 100,000 plants worldwide, Wonderware has customers in virtually every global industry - including Oil & Gas, Food & Beverage, Utilities, Pharmaceuticals, Electronics, Metals, Automotive and more".
WonderWare offers software solutions in the areas of Production and Performance Management, and Geographical SCADA and Supervisory HMI (Human-Machine Interface). Several of these solutions running on Microsoft Windows Operating Systems use a common software component, the SuiteLink Service, to implement communications between components using a proprietary protocol over TCP/IP networks. Exploitation of the vulnerability for remote code execution has not been proven, but it has not been eliminated as a potential scenario.
Vulnerable Packages
.
Non-vulnerable Packages
. Contact WonderWare for details.
Vendor Information, Solutions and Workarounds
The vendor has made a technical document available to registered customers detailing how to address this issue [2]. Additionally, an extensive guide detailing how to deploy and secure Industrial Control Systems is available at the vendor's support site [3].
Vendor Statement:
Wonderware, a business unit of Invensys, is committed to collaborate with our customers and industry standards committees to provide secure applications, security best practices, deployment guidelines, tools and prescriptive guidance for maintaining a secure environment. A potential denial of service issue on an insecure network which could have been instigated by a hostile internal user has been addressed in SuiteLink 2.0 Patch 01. More details can be found in Wonderware's Tech Alert 106 posted on our website along with the Patch. (Please note that access to the Tech Alert and the Patch will require that you register on our web site.) Wonderware users interested in upgrading should contact Wonderware or their local distributor.
Credits
This vulnerability was discovered and researched by Sebastian Muniz from the Exploit Writers Team (EWT) at Core Security Technologies.
Technical Description / Proof of Concept Code
WonderWare SuiteLink is a service that runs on Microsoft Windows Operating Systems listening for connections on port 5413/tcp. .text:00405C54 and ecx, 3
- -----------/
Report Timeline
. 2008-01-30: Initial contact email sent by to Wonderware setting the estimated publication date of the advisory to February 25th. 2008-01-30: Contact email re-sent to Wonderware asking for a software security contact for Wonderware InTouch. 2008-02-06: New email sent to Wonderware asking for a response and for a software security contact for Wonderware InTouch. 2008-02-28: Core makes direct phone calls to Wonderware headquarters informing of the previous emails and requesting acknowledgement of the notification of a security vulnerability. 2008-02-28: As requested during the phone call, Core re-sends the original notification mail, stating that an advisory draft describing the vulnerability is available since January 30th. The publication of the advisory is re-scheduled to March 24th. 2008-02-28: Vendor acknowledges the email notification. 2008-02-28: Core sends the advisory draft to Wonderware support team. 2008-02-29: Vendor acknowledges reception of the report and states that it understands the seriousness of the problem and that its development team will look into it. 2008-02-29: Vendor asks for a copy of the proof of concept code used to demonstrate the vulnerability. 2008-03-03: Core sends proof-of-concept code written in Python. 2008-03-05: Vendor asks for compiler tools required to use the PoC code. 2008-03-05: Core sends a link to http://www.python.org where a Python interpreter can be downloaded. 2008-03-10: Vendor requests more information about the network and the firewall settings used during the tests and inquires about conformance (or lack thereof) of the tested network with the vendor's security policies and recommendations. 2008-03-10: Vendor asks for details about how the advisory will be published. 2008-03-12: Core responds that the workstation running the vulnerable service had no firewall activated in the tests, but since the Wonderware SuiteLink Service allows incoming connections it is assumed that the corresponding port should be allowed to receive inbound session establishment packets. Core offers the vendor the opportunity to include additional information in the "vendor information" section of the advisory. Core explains that the advisory will be published on Core's website and sent to security mailing lists. Core also reminds the vendor that the publication date of the advisory has been moved from February 25th to March 24th, and explains that it is willing to discuss a new publication date on the basis of having concrete plans, with a specific date for the fix release. 2008-03-21: Vendor indicates that it will be unable to commit to releasing fixes by March 24th and requests publication of the advisory to be delayed to create a fix for vulnerable customers. The development team is investigating how long it will take to make such a fix available. The vendor indicates that the previous questions about firewall setup referred to the vendor's recommended practices to secure networks on which their systems run using firewalls and IPsec. 2008-03-21: Vendor indicates that it is issuing a Tech Alert to its customers to address the issue. Details about the vulnerability have been minimized in the Tech Alert. The vendor expresses concern about the level of detail included in Core's advisory and requests that those details be removed from the advisory because they give more detail than what is needed to make people aware of the issue, and may lend itself to use by people who might want to exploit it. Early estimates put the delivery time for a fix at approximately three months, and the estimate is not final. Vendor asks Core to delay any publication until it is able to have a software fix ready. 2008-03-21: Core asks if the three-month estimate should be assumed to have begun since the vendor's initial acknowledgement of Core's notification -- which puts the estimated date for the release of a fix at the end of May -- or since the date of the last email received (fix released at the end of June). Core indicates that as of today it still has no confirmation from the vendor that the vulnerability was replicated and identified, and that the fix is already under development or testing, and that is the information needed to re-schedule the publication date. Core is expecting to receive that information from the vendor, but in the meantime publication of the advisory is re-scheduled to March 31st 2008. With regards to the questions and requests about the contents of the security advisory, Core indicates that Core's technical publications are aimed at providing legitimate security practitioners worldwide with the technical details necessary to understand the nature of the security issues reported; so they are able to devise, by their own judgment, the risk mitigation approach that fits them the best. For that purpose, Core believes that it is fundamental that they have precise and accurate technical details about security issues -- as Wonderware itself has demonstrated with the request for further technical details and proof-of-concept code -- and that the whole reporting and disclosure process is transparent for scrutiny of all interested parties. 2008-03-21: Vendor acknowledges Core's email and provides a copy of the issued Technical Alert 106 and indicates that will provide more information by March 25th 2008. 2008-03-26: Vendor confirms to have replicated the issue reported and indicated that the Tech Alert 106 sent to customers confirms and recognizes the issue. The Tech Alert also points out what measures can be taken to mitigate risk. A project has been charter and is in progress to fix this issue and properly QA the fix. With regard to the contents of Core's report, it says that stating that a Denial of Service of SuiteLink communication can be created from a remote node sends a corrupted data packet seems to be sufficient to make people aware. The vendor says that is having trouble understanding what the value is in providing specific detail as to what technical issue is happening and asks for clarification to understand how this information would benefit organizations. The vendor acknowledges that the proof of concept code did help to replicate the issue and that without it, it would have needed more time to identify it from the report alone. The concern is that the details provided in the report may give a hacker a specific direction to look for the vulnerability. Finally, the vendor indicates that will have a better estimation for the rlease date of a fix by Friday March 28th, 2008. 2008-03-27: Core acknowledges the vendor's email and indicates that is looking forward to having the new estimate by Friday. 2008-03-28: Vendor informs that it has brought the estimated release date in to May 2nd. If things go well during QA, they may be able to bring that date in sooner and vendor requests that Core postpone publication until that time. 2008-03-28: Core re-schedules publication of the advisory to May 2nd 2008 and says that it considers this date final unless the vendor indicates any deviation from the current estimate with at least a week in advance of the publication date, in which case Core would re-evaluate postponing publication up to 5 working days. With regard to the previous inquiry about the advisory's content, Core states that the purpose of publishing security advisories and the rationale used to define their content is simple and hopefully, once explained, both reasonable and understandable. Core publishes advisories not only to make users aware of the existence of a given vulnerability but also to facilitate its mitigation by either official or any other means that the security community and/or the vulnerable user population may devise. In order to do so, Core has learned over the course of 13 years working in this particular field that it is fundamental to provide precise and accurate technical information about problems. It is that information that can help other security practitioners to determine how to prevent exploitation, detect attacks or to verify that a fix or workaround is actually functioning properly. Thus, Core believes that it is necessary not only to indicate the mere existence of the bug, but also to explain how to uniquely identify it in the vulnerable software (to avoid confusion with all other known bugs or to differentiate it from others that may be discovered in the future). It is also important to determine how the vulnerability could be used by potential attackers so that proper detection mechanisms can be built, for example firewall rules, or IDS and antivirus signatures. While Core recognizes that this may provide some additional data to would-be attackers, clearly it also provides preciously needed information to the defenders thus, leveling a field on which Core believes the attackers are initially at advantage. 2008-04-01: Vendor acknowledges previous email and indicates that it will provide a new update as soon as is available. 2008-04-28: Vendor informs Core that a fix for the vulnerability in SuiteLink has been released. 2008-04-28: Core acknowledges previous emails and requests an official vendor statement for the security advisory and more details about the vulnerable packages and versions. Multiple products use SuiteLink. 2008-04-30: The advisory is ready for release, but the publication date is re-scheduled to May 5th because May 1st is a public holiday in many countries (International Workers' Day) and Core does not usually publish advisories on Fridays (to avoid IT work on weekends). 2008-05-05: CORE-2008-0129 advisory is published.
References
[1] WonderWare website http://us.wonderware.com/ [2] Tech Alert 106 http://www.wonderware.com/support/mmi/comprehensive/kbcd/html/t002260.htm [3] WonderWare Security Manual - Securing Industrial Control Systems
http://www.wonderware.com/support/mmi/esupport/securitycentral/documents/BestPractices/WWSecGd041707_External.pdf
About CoreLabs
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/.
About Core Security Technologies
Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.
Disclaimer
The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.
GPG/PGP Keys
This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIH2eAyNibggitWa0RAtlcAKCgV83vS0v4aLVTRtFmkBsEg0UPXgCdHL4p si+I8mGJwJuglh+QESsZ9ZE= =705O -----END PGP SIGNATURE-----
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200805-0133",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "suitelink",
"scope": "eq",
"trust": 1.9,
"vendor": "wonderware",
"version": "2.0"
},
{
"model": "intouch",
"scope": "eq",
"trust": 1.6,
"vendor": "wonderware",
"version": "8.0"
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "invensys",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "wonderware",
"version": null
},
{
"model": "suitelink",
"scope": "lt",
"trust": 0.8,
"vendor": "wonderware",
"version": "version 2.0 patch 01 earlier"
},
{
"model": null,
"scope": null,
"trust": 0.6,
"vendor": "none",
"version": null
},
{
"model": null,
"scope": "eq",
"trust": 0.4,
"vendor": "intouch",
"version": "8.0"
},
{
"model": null,
"scope": "eq",
"trust": 0.4,
"vendor": "suitelink",
"version": "2.0"
},
{
"model": "suitelink patch",
"scope": "ne",
"trust": 0.3,
"vendor": "wonderware",
"version": "2.001"
}
],
"sources": [
{
"db": "IVD",
"id": "dd3e5ad8-23cd-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "7d7822e1-463f-11e9-8a01-000c29342cb1"
},
{
"db": "CERT/CC",
"id": "VU#596268"
},
{
"db": "CNVD",
"id": "CNVD-2008-2191"
},
{
"db": "BID",
"id": "28974"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-001354"
},
{
"db": "CNNVD",
"id": "CNNVD-200805-037"
},
{
"db": "NVD",
"id": "CVE-2008-2005"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:wonderware:suitelink",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-001354"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Sebastian Muniz",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200805-037"
}
],
"trust": 0.6
},
"cve": "CVE-2008-2005",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CVE-2008-2005",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "dd3e5ad8-23cd-11e6-abef-000c29c66e3d",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.2,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.9 [IVD]"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "IVD",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "7d7822e1-463f-11e9-8a01-000c29342cb1",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.2,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.9 [IVD]"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2008-2005",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "CARNEGIE MELLON",
"id": "VU#596268",
"trust": 0.8,
"value": "3.07"
},
{
"author": "NVD",
"id": "CVE-2008-2005",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-200805-037",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "IVD",
"id": "dd3e5ad8-23cd-11e6-abef-000c29c66e3d",
"trust": 0.2,
"value": "MEDIUM"
},
{
"author": "IVD",
"id": "7d7822e1-463f-11e9-8a01-000c29342cb1",
"trust": 0.2,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "IVD",
"id": "dd3e5ad8-23cd-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "7d7822e1-463f-11e9-8a01-000c29342cb1"
},
{
"db": "CERT/CC",
"id": "VU#596268"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-001354"
},
{
"db": "CNNVD",
"id": "CNNVD-200805-037"
},
{
"db": "NVD",
"id": "CVE-2008-2005"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The SuiteLink Service (aka slssvc.exe) in WonderWare SuiteLink before 2.0 Patch 01, as used in WonderWare InTouch 8.0, allows remote attackers to cause a denial of service (NULL pointer dereference and service shutdown) and possibly execute arbitrary code via a large length value in a Registration packet to TCP port 5413, which causes a memory allocation failure. Wonderware SuiteLink Crafted by TCP Denial of service when processing packets (DoS) There are vulnerabilities that may be affected. Wonderware SuiteLink Is the protocol used in the control system. Implemented this protocol Wonderware SuiteLink Service(slssvc.exe) Is Windows As a service on 5413/tcp Use to communicate. Wonderware SuiteLink Service(slssvc.exe) In TCP There is a problem with the processing of the packet, and receiving a specially crafted packet can cause a service outage.Denial of service by remote third party (DoS) There is a possibility of being attacked. WonderWare is a supplier of industrial automation and information software solutions. WonderWare has a vulnerability in processing malformed request data, which could be exploited by remote attackers to render services unavailable. WonderWare\u0027s SuiteLink service listens for connections on port 5413 / TCP. Non-authenticated client programs connected to the service can send malformed messages, and by calling the new () operator, the memory allocation operation fails and returns a null pointer. Due to the lack of error checking on the results of memory allocation operations, the program may later use null pointers as targets for memory copy operations, which may trigger memory access exceptions and terminate services. An attacker can trigger a memory allocation operation failure by specifying an oversized field in the Registration message. The following binary program segment describes the cause of the vulnerability: .text: 00405C1B mov esi, [ebp + dwLen]; Our value from packet\n\n\u00a0... \n\n\u00a0.text: 00405C20 push edi\n\n\u00a0.text: 00405C21 test esi, esi; Check value! = 0\n\n\u00a0... \n\n\u00a0.text: 00405C31 push esi; Alloc with our length\n\n\u00a0.text: 00405C32 mov [ebp + var_4], 0\n\n\u00a0.text: 00405C39 call operator new (uint); Big values return NULL\n\n\u00a0.text: 00405C3E mov ecx, esi; Memcpy with our length\n\n\u00a0.text: 00405C40 mov esi, [ebp + pDestionationAddr]\n\n\u00a0.text: 00405C43 mov [ebx + 4], eax; new result is used as dest\n\n\u00a0.text: 00405C46 mov edi, eax; address without checks. \n\n\u00a0.text: 00405C48 mov eax, ecx\n\n\u00a0.text: 00405C4A add esp, 4\n\n\u00a0.text: 00405C4D shr ecx, 2\n\n\u00a0.text: 00405C50 rep movsd; AV due to invalid\n\n\u00a0.text: 00405C52 mov ecx, eax; destination pointer. \n\n\u00a0.text: 00405C54 and ecx, 3\n\n\u00a0------------ /. Wonderware SuiteLink is prone to a remote denial-of-service vulnerability. \nAn attacker can exploit this issue to crash the affected application, denying service to legitimate users. Given the nature of this issue, the attacker may also be able to execute arbitrary code, but this has not been confirmed. \nVersions prior to Wonderware SuiteLink 2.0 Patch 01 are vulnerable. \nUPDATE: References to Wonderware InTouch 8.0 have been removed; that software is not affected by this vulnerability. ----------------------------------------------------------------------\n\nSecunia Network Software Inspector 2.0 (NSI) - Public Beta\n\nThe Public Beta has ended. Thanks to all that participated. \n\nPROVIDED AND/OR DISCOVERED BY:\nSebastian Muniz, Core Security Technologies\n\nORIGINAL ADVISORY:\nWonderware (requires login):\nhttp://www.wonderware.com/support/mmi/comprehensive/kbcd/html/t002260.htm\n\nCORE-2008-0129:\nhttp://www.coresecurity.com/index.php5?module=ContentMod\u0026action=item\u0026id=2187\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n Core Security Technologies - CoreLabs Advisory\n http://www.coresecurity.com/corelabs/\n\n Wonderware SuiteLink Denial of Service vulnerability\n\n\n*Advisory Information*\n\nTitle: Wonderware SuiteLink Denial of Service vulnerability\nAdvisory ID: CORE-2008-0129\nAdvisory URL: http://www.coresecurity.com/?action=item\u0026id=2187\nDate published: 2008-05-05\nDate of last update: 2008-05-05\nVendors contacted: Wonderware\nRelease mode: Coordinated release\n\n\n*Vulnerability Information*\n\nClass: Denial of service\nRemotely Exploitable: Yes\nLocally Exploitable: No\nBugtraq ID: 28974\t\nCVE Name: CVE-2008-2005\t\n\n\n*Vulnerability Description*\n\nWonderWare is supplier of industrial automation and information software\nsolutions. According to the company\u0027s website [1]: \"one third of the\nworld\u0027s plants run Wonderware software solutions. Having sold more than\n500,000 software licenses in over 100,000 plants worldwide, Wonderware\nhas customers in virtually every global industry - including Oil \u0026 Gas,\nFood \u0026 Beverage, Utilities, Pharmaceuticals, Electronics, Metals,\nAutomotive and more\". \n\nWonderWare offers software solutions in the areas of Production and\nPerformance Management, and Geographical SCADA and Supervisory HMI\n(Human-Machine Interface). Several of these solutions running on\nMicrosoft Windows Operating Systems use a common software component, the\nSuiteLink Service, to implement communications between components using\na proprietary protocol over TCP/IP networks. Exploitation of the\nvulnerability for remote code execution has not been proven, but it has\nnot been eliminated as a potential scenario. \n\n\n*Vulnerable Packages*\n\n. \n\n\n*Non-vulnerable Packages*\n\n. Contact WonderWare for details. \n\n\n*Vendor Information, Solutions and Workarounds*\n\nThe vendor has made a technical document available to registered\ncustomers detailing how to address this issue [2]. Additionally, an\nextensive guide detailing how to deploy and secure Industrial Control\nSystems is available at the vendor\u0027s support site [3]. \n\nVendor Statement:\n\n Wonderware, a business unit of Invensys, is committed to collaborate\nwith our customers and industry standards committees to provide secure\napplications, security best practices, deployment guidelines, tools and\nprescriptive guidance for maintaining a secure environment. A potential\ndenial of service issue on an insecure network which could have been\ninstigated by a hostile internal user has been addressed in SuiteLink\n2.0 Patch 01. More details can be found in Wonderware\u0027s Tech Alert 106\nposted on our website along with the Patch. (Please note that access to\nthe Tech Alert and the Patch will require that you register on our web\nsite.) Wonderware users interested in upgrading should contact\nWonderware or their local distributor. \n\n\n*Credits*\n\nThis vulnerability was discovered and researched by Sebastian Muniz from\nthe Exploit Writers Team (EWT) at Core Security Technologies. \n\n\n*Technical Description / Proof of Concept Code*\n\nWonderWare SuiteLink is a service that runs on Microsoft Windows\nOperating Systems listening for connections on port 5413/tcp. \n.text:00405C54 and ecx, 3\n\n- -----------/\n\n\n*Report Timeline*\n\n. 2008-01-30: Initial contact email sent by to Wonderware setting the\nestimated publication date of the advisory to February 25th. 2008-01-30: Contact email re-sent to Wonderware asking for a software\nsecurity contact for Wonderware InTouch. 2008-02-06: New email sent to Wonderware asking for a response and for\na software security contact for Wonderware InTouch. 2008-02-28: Core makes direct phone calls to Wonderware headquarters\ninforming of the previous emails and requesting acknowledgement of the\nnotification of a security vulnerability. 2008-02-28: As requested during the phone call, Core re-sends the\noriginal notification mail, stating that an advisory draft describing\nthe vulnerability is available since January 30th. The publication of\nthe advisory is re-scheduled to March 24th. 2008-02-28: Vendor acknowledges the email notification. 2008-02-28: Core sends the advisory draft to Wonderware support team. 2008-02-29: Vendor acknowledges reception of the report and states\nthat it understands the seriousness of the problem and that its\ndevelopment team will look into it. 2008-02-29: Vendor asks for a copy of the proof of concept code used\nto demonstrate the vulnerability. 2008-03-03: Core sends proof-of-concept code written in Python. 2008-03-05: Vendor asks for compiler tools required to use the PoC code. 2008-03-05: Core sends a link to http://www.python.org where a Python\ninterpreter can be downloaded. 2008-03-10: Vendor requests more information about the network and the\nfirewall settings used during the tests and inquires about conformance\n(or lack thereof) of the tested network with the vendor\u0027s security\npolicies and recommendations. 2008-03-10: Vendor asks for details about how the advisory will be\npublished. 2008-03-12: Core responds that the workstation running the vulnerable\nservice had no firewall activated in the tests, but since the Wonderware\nSuiteLink Service allows incoming connections it is assumed that the\ncorresponding port should be allowed to receive inbound session\nestablishment packets. Core offers the vendor the opportunity to include\nadditional information in the \"vendor information\" section of the\nadvisory. Core explains that the advisory will be published on Core\u0027s\nwebsite and sent to security mailing lists. Core also reminds the vendor\nthat the publication date of the advisory has been moved from February\n25th to March 24th, and explains that it is willing to discuss a new\npublication date on the basis of having concrete plans, with a specific\ndate for the fix release. 2008-03-21: Vendor indicates that it will be unable to commit to\nreleasing fixes by March 24th and requests publication of the advisory\nto be delayed to create a fix for vulnerable customers. The development\nteam is investigating how long it will take to make such a fix\navailable. The vendor indicates that the previous questions about\nfirewall setup referred to the vendor\u0027s recommended practices to secure\nnetworks on which their systems run using firewalls and IPsec. 2008-03-21: Vendor indicates that it is issuing a Tech Alert to its\ncustomers to address the issue. Details about the vulnerability have\nbeen minimized in the Tech Alert. The vendor expresses concern about the\nlevel of detail included in Core\u0027s advisory and requests that those\ndetails be removed from the advisory because they give more detail than\nwhat is needed to make people aware of the issue, and may lend itself to\nuse by people who might want to exploit it. Early estimates put the\ndelivery time for a fix at approximately three months, and the estimate\nis not final. Vendor asks Core to delay any publication until it is able\nto have a software fix ready. 2008-03-21: Core asks if the three-month estimate should be assumed to\nhave begun since the vendor\u0027s initial acknowledgement of Core\u0027s\nnotification -- which puts the estimated date for the release of a fix\nat the end of May -- or since the date of the last email received (fix\nreleased at the end of June). Core indicates that as of today it still\nhas no confirmation from the vendor that the vulnerability was\nreplicated and identified, and that the fix is already under development\nor testing, and that is the information needed to re-schedule the\npublication date. Core is expecting to receive that information from the\nvendor, but in the meantime publication of the advisory is re-scheduled\nto March 31st 2008. With regards to the questions and requests about the\ncontents of the security advisory, Core indicates that Core\u0027s technical\npublications are aimed at providing legitimate security practitioners\nworldwide with the technical details necessary to understand the nature\nof the security issues reported; so they are able to devise, by their\nown judgment, the risk mitigation approach that fits them the best. For\nthat purpose, Core believes that it is fundamental that they have\nprecise and accurate technical details about security issues -- as\nWonderware itself has demonstrated with the request for further\ntechnical details and proof-of-concept code -- and that the whole\nreporting and disclosure process is transparent for scrutiny of all\ninterested parties. 2008-03-21: Vendor acknowledges Core\u0027s email and provides a copy of\nthe issued Technical Alert 106 and indicates that will provide more\ninformation by March 25th 2008. 2008-03-26: Vendor confirms to have replicated the issue reported and\nindicated that the Tech Alert 106 sent to customers confirms and\nrecognizes the issue. The Tech Alert also points out what measures can\nbe taken to mitigate risk. A project has been charter and is in progress\nto fix this issue and properly QA the fix. With regard to the contents\nof Core\u0027s report, it says that stating that a Denial of Service of\nSuiteLink communication can be created from a remote node sends a\ncorrupted data packet seems to be sufficient to make people aware. The\nvendor says that is having trouble understanding what the value is in\nproviding specific detail as to what technical issue is happening and\nasks for clarification to understand how this information would benefit\norganizations. The vendor acknowledges that the proof of concept code\ndid help to replicate the issue and that without it, it would have\nneeded more time to identify it from the report alone. The concern is\nthat the details provided in the report may give a hacker a specific\ndirection to look for the vulnerability. Finally, the vendor indicates\nthat will have a better estimation for the rlease date of a fix by\nFriday March 28th, 2008. 2008-03-27: Core acknowledges the vendor\u0027s email and indicates that is\nlooking forward to having the new estimate by Friday. 2008-03-28: Vendor informs that it has brought the estimated release\ndate in to May 2nd. If things go well during QA, they may be able to\nbring that date in sooner and vendor requests that Core postpone\npublication until that time. 2008-03-28: Core re-schedules publication of the advisory to May 2nd\n2008 and says that it considers this date final unless the vendor\nindicates any deviation from the current estimate with at least a week\nin advance of the publication date, in which case Core would re-evaluate\npostponing publication up to 5 working days. With regard to the previous\ninquiry about the advisory\u0027s content, Core states that the purpose of\npublishing security advisories and the rationale used to define their\ncontent is simple and hopefully, once explained, both reasonable and\nunderstandable. Core publishes advisories not only to make users aware\nof the existence of a given vulnerability but also to facilitate its\nmitigation by either official or any other means that the security\ncommunity and/or the vulnerable user population may devise. In order to\ndo so, Core has learned over the course of 13 years working in this\nparticular field that it is fundamental to provide precise and accurate\ntechnical information about problems. It is that information that can\nhelp other security practitioners to determine how to prevent\nexploitation, detect attacks or to verify that a fix or workaround is\nactually functioning properly. Thus, Core believes that it is necessary\nnot only to indicate the mere existence of the bug, but also to explain\nhow to uniquely identify it in the vulnerable software (to avoid\nconfusion with all other known bugs or to differentiate it from others\nthat may be discovered in the future). It is also important to determine\nhow the vulnerability could be used by potential attackers so that\nproper detection mechanisms can be built, for example firewall rules, or\nIDS and antivirus signatures. While Core recognizes that this may\nprovide some additional data to would-be attackers, clearly it also\nprovides preciously needed information to the defenders thus, leveling a\nfield on which Core believes the attackers are initially at advantage. 2008-04-01: Vendor acknowledges previous email and indicates that it\nwill provide a new update as soon as is available. 2008-04-28: Vendor informs Core that a fix for the vulnerability in\nSuiteLink has been released. 2008-04-28: Core acknowledges previous emails and requests an official\nvendor statement for the security advisory and more details about the\nvulnerable packages and versions. Multiple\nproducts use SuiteLink. 2008-04-30: The advisory is ready for release, but the publication\ndate is re-scheduled to May 5th because May 1st is a public holiday in\nmany countries (International Workers\u0027 Day) and Core does not usually\npublish advisories on Fridays (to avoid IT work on weekends). 2008-05-05: CORE-2008-0129 advisory is published. \n\n\n*References*\n\n[1] WonderWare website http://us.wonderware.com/\n[2] Tech Alert 106\nhttp://www.wonderware.com/support/mmi/comprehensive/kbcd/html/t002260.htm\n[3] WonderWare Security Manual - Securing Industrial Control Systems\n\nhttp://www.wonderware.com/support/mmi/esupport/securitycentral/documents/BestPractices/WWSecGd041707_External.pdf\n\n\n*About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography. \nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://www.coresecurity.com/corelabs/. \n\n\n*About Core Security Technologies*\n\nCore Security Technologies develops strategic solutions that help\nsecurity-conscious organizations worldwide develop and maintain a\nproactive process for securing their networks. The company\u0027s flagship\nproduct, CORE IMPACT, is the most comprehensive product for performing\nenterprise security assurance testing. CORE IMPACT evaluates network,\nendpoint and end-user vulnerabilities and identifies what resources are\nexposed. It enables organizations to determine if current security\ninvestments are detecting and preventing attacks. Core Security\nTechnologies augments its leading technology solution with world-class\nsecurity consulting services, including penetration testing and software\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\nhttp://www.coresecurity.com. \n\n\n*Disclaimer*\n\nThe contents of this advisory are copyright (c) 2008 Core Security\nTechnologies and (c) 2008 CoreLabs, and may be distributed freely\nprovided that no fee is charged for this distribution and proper credit\nis given. \n\n\n*GPG/PGP Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc. \n\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.7 (MingW32)\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\n\niD8DBQFIH2eAyNibggitWa0RAtlcAKCgV83vS0v4aLVTRtFmkBsEg0UPXgCdHL4p\nsi+I8mGJwJuglh+QESsZ9ZE=\n=705O\n-----END PGP SIGNATURE-----\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2008-2005"
},
{
"db": "CERT/CC",
"id": "VU#596268"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-001354"
},
{
"db": "CNVD",
"id": "CNVD-2008-2191"
},
{
"db": "BID",
"id": "28974"
},
{
"db": "IVD",
"id": "dd3e5ad8-23cd-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "7d7822e1-463f-11e9-8a01-000c29342cb1"
},
{
"db": "PACKETSTORM",
"id": "66050"
},
{
"db": "PACKETSTORM",
"id": "66028"
}
],
"trust": 3.69
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2008-2005",
"trust": 3.8
},
{
"db": "BID",
"id": "28974",
"trust": 3.5
},
{
"db": "CERT/CC",
"id": "VU#596268",
"trust": 3.5
},
{
"db": "SECUNIA",
"id": "30063",
"trust": 2.5
},
{
"db": "EXPLOIT-DB",
"id": "6474",
"trust": 2.4
},
{
"db": "SECTRACK",
"id": "1019966",
"trust": 2.4
},
{
"db": "CNVD",
"id": "CNVD-2008-2191",
"trust": 1.0
},
{
"db": "CNNVD",
"id": "CNNVD-200805-037",
"trust": 1.0
},
{
"db": "JVNDB",
"id": "JVNDB-2008-001354",
"trust": 0.8
},
{
"db": "BUGTRAQ",
"id": "20080505 CORE-2008-0129 - WONDERWARE SUITELINK DENIAL OF SERVICE VULNERABILITY",
"trust": 0.6
},
{
"db": "MILW0RM",
"id": "6474",
"trust": 0.6
},
{
"db": "XF",
"id": "42221",
"trust": 0.6
},
{
"db": "IVD",
"id": "DD3E5AD8-23CD-11E6-ABEF-000C29C66E3D",
"trust": 0.2
},
{
"db": "IVD",
"id": "7D7822E1-463F-11E9-8A01-000C29342CB1",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "66050",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "66028",
"trust": 0.1
}
],
"sources": [
{
"db": "IVD",
"id": "dd3e5ad8-23cd-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "7d7822e1-463f-11e9-8a01-000c29342cb1"
},
{
"db": "CERT/CC",
"id": "VU#596268"
},
{
"db": "CNVD",
"id": "CNVD-2008-2191"
},
{
"db": "BID",
"id": "28974"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-001354"
},
{
"db": "PACKETSTORM",
"id": "66050"
},
{
"db": "PACKETSTORM",
"id": "66028"
},
{
"db": "CNNVD",
"id": "CNNVD-200805-037"
},
{
"db": "NVD",
"id": "CVE-2008-2005"
}
]
},
"id": "VAR-200805-0133",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "IVD",
"id": "dd3e5ad8-23cd-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "7d7822e1-463f-11e9-8a01-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2008-2191"
}
],
"trust": 1.6043447333333334
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 1.0
}
],
"sources": [
{
"db": "IVD",
"id": "dd3e5ad8-23cd-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "7d7822e1-463f-11e9-8a01-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2008-2191"
}
]
},
"last_update_date": "2024-11-23T23:10:22.160000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Wonderware Tech Alert 106",
"trust": 0.8,
"url": "http://www.wonderware.com/support/mmi/comprehensive/kbcd/html/t002260.htm"
},
{
"title": "Wonderware Security Manual - Securing Industrial Control Systems",
"trust": 0.8,
"url": "http://www.wonderware.com/support/mmi/esupport/securitycentral/documents/BestPractices/WWSecGd041707_External.pdf"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-001354"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-399",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-001354"
},
{
"db": "NVD",
"id": "CVE-2008-2005"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.2,
"url": "http://www.securityfocus.com/bid/28974"
},
{
"trust": 2.7,
"url": "http://www.kb.cert.org/vuls/id/596268"
},
{
"trust": 2.5,
"url": "http://www.coresecurity.com/?action=item\u0026id=2187"
},
{
"trust": 2.4,
"url": "http://www.securitytracker.com/id?1019966"
},
{
"trust": 1.6,
"url": "http://secunia.com/advisories/30063"
},
{
"trust": 1.4,
"url": "http://www.milw0rm.com/exploits/6474"
},
{
"trust": 1.0,
"url": "http://www.wonderware.com/support/mmi/comprehensive/kbcd/html/t002260.htm"
},
{
"trust": 1.0,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42221"
},
{
"trust": 1.0,
"url": "https://www.exploit-db.com/exploits/6474"
},
{
"trust": 1.0,
"url": "http://www.securityfocus.com/archive/1/491623/100/0/threaded"
},
{
"trust": 0.9,
"url": "http://secunia.com/advisories/30063/"
},
{
"trust": 0.8,
"url": "http://www.wonderware.com/support/web/secure/downloads/download_serve.asp?id=2355\u0026url=http://www.wonderware.com/support/mmi/registered/patchfixes/sl2.0p1.zip"
},
{
"trust": 0.8,
"url": "http://www.wonderware.com/support/mmi/esupport/securitycentral/documents/bestpractices/wwsecgd041707"
},
{
"trust": 0.8,
"url": "http://portal.wonderware.com/sites/securitycentral/default.aspx"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-2005"
},
{
"trust": 0.8,
"url": "http://jvn.jp//cert/jvnvu596268/index.html"
},
{
"trust": 0.8,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2008-2005"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/42221"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/491623/100/0/threaded"
},
{
"trust": 0.4,
"url": "http://us.wonderware.com/"
},
{
"trust": 0.3,
"url": "/archive/1/491623"
},
{
"trust": 0.1,
"url": "http://secunia.com/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/index.php5?module=contentmod\u0026action=item\u0026id=2187"
},
{
"trust": 0.1,
"url": "http://secunia.com/network_software_inspector_2/"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/16628/"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://secunia.com/about_secunia_advisories/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2008-2005"
},
{
"trust": 0.1,
"url": "http://www.python.org"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc."
},
{
"trust": 0.1,
"url": "http://enigmail.mozdev.org"
},
{
"trust": 0.1,
"url": "http://www.wonderware.com/support/mmi/esupport/securitycentral/documents/bestpractices/wwsecgd041707_external.pdf"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com."
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/corelabs/."
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/corelabs/"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#596268"
},
{
"db": "BID",
"id": "28974"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-001354"
},
{
"db": "PACKETSTORM",
"id": "66050"
},
{
"db": "PACKETSTORM",
"id": "66028"
},
{
"db": "CNNVD",
"id": "CNNVD-200805-037"
},
{
"db": "NVD",
"id": "CVE-2008-2005"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "IVD",
"id": "dd3e5ad8-23cd-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "7d7822e1-463f-11e9-8a01-000c29342cb1"
},
{
"db": "CERT/CC",
"id": "VU#596268"
},
{
"db": "CNVD",
"id": "CNVD-2008-2191"
},
{
"db": "BID",
"id": "28974"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-001354"
},
{
"db": "PACKETSTORM",
"id": "66050"
},
{
"db": "PACKETSTORM",
"id": "66028"
},
{
"db": "CNNVD",
"id": "CNNVD-200805-037"
},
{
"db": "NVD",
"id": "CVE-2008-2005"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2008-04-28T00:00:00",
"db": "IVD",
"id": "dd3e5ad8-23cd-11e6-abef-000c29c66e3d"
},
{
"date": "2008-04-28T00:00:00",
"db": "IVD",
"id": "7d7822e1-463f-11e9-8a01-000c29342cb1"
},
{
"date": "2008-05-06T00:00:00",
"db": "CERT/CC",
"id": "VU#596268"
},
{
"date": "2008-04-28T00:00:00",
"db": "CNVD",
"id": "CNVD-2008-2191"
},
{
"date": "2008-05-05T00:00:00",
"db": "BID",
"id": "28974"
},
{
"date": "2008-05-30T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2008-001354"
},
{
"date": "2008-05-06T22:57:38",
"db": "PACKETSTORM",
"id": "66050"
},
{
"date": "2008-05-06T20:21:55",
"db": "PACKETSTORM",
"id": "66028"
},
{
"date": "2008-04-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200805-037"
},
{
"date": "2008-05-06T15:20:00",
"db": "NVD",
"id": "CVE-2008-2005"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2008-09-17T00:00:00",
"db": "CERT/CC",
"id": "VU#596268"
},
{
"date": "2008-04-28T00:00:00",
"db": "CNVD",
"id": "CNVD-2008-2191"
},
{
"date": "2008-09-17T18:10:00",
"db": "BID",
"id": "28974"
},
{
"date": "2008-05-30T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2008-001354"
},
{
"date": "2009-03-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200805-037"
},
{
"date": "2024-11-21T00:45:52.197000",
"db": "NVD",
"id": "CVE-2008-2005"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "66028"
},
{
"db": "CNNVD",
"id": "CNNVD-200805-037"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "WonderWare SuiteLink slssvc.exe Remote Denial of Service Vulnerability",
"sources": [
{
"db": "IVD",
"id": "dd3e5ad8-23cd-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "7d7822e1-463f-11e9-8a01-000c29342cb1"
},
{
"db": "CNVD",
"id": "CNVD-2008-2191"
},
{
"db": "CNNVD",
"id": "CNNVD-200805-037"
}
],
"trust": 1.6
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Resource management error",
"sources": [
{
"db": "IVD",
"id": "dd3e5ad8-23cd-11e6-abef-000c29c66e3d"
},
{
"db": "IVD",
"id": "7d7822e1-463f-11e9-8a01-000c29342cb1"
},
{
"db": "CNNVD",
"id": "CNNVD-200805-037"
}
],
"trust": 1.0
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.