This afternoon the DHS ICS-CERT published an advisory for twin buffer overflow vulnerabilities in OPTO 22 products. The vulnerabilities were reported by Ivan Sanchez from Nullcode Team. OPTO has released new versions that mitigate the vulnerabilities and Sanchez has been able to verify the efficacy of the fix.
The twin vulnerabilities are:
∙ Heap-based buffer overflow, CVE-2015-1006; and
∙ Stack-based buffer overflow, CVE-2015-1007.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit the heap-based overflow vulnerability. The Stack-based overflow would require a social engineering attack before the vulnerability could be remotely exploited.
OPTO reports that the stack-based overflow vulnerability actually resides in a Rockwell OPC Test Client application (no version number is provided). The newer, unaffected OPTO 22 products use a ProSys Test Client application instead. Owners can obtain a copy of the ProSys Test Client from the OPTO 22 FTP site if they do not want to install the updated version of the PAC Project applications.
This is apparently just another case of a vendor using another vendor’s files without understanding the included vulnerabilities. It would be interesting if someone (ICS-CERT MAYBE) would look to see how many other systems were using the vulnerable Rockwell OPC Test Client.