Vulnerability Description
Heap-based buffer overflow in the WWCabFile ActiveX component in the Wonderware System Platform in Invensys Wonderware Application Server 2012 and earlier, Foxboro Control Software 3.1 and earlier, InFusion CE/FE/SCADA 2.5 and earlier, Wonderware Information Server 4.5 and earlier, ArchestrA Application Object Toolkit 3.2 and earlier, and InTouch 10.0 through 10.5 might allow remote attackers to execute arbitrary code via a long string to the Open member, leading to a function-pointer overwrite.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Invensys | Archestra Application Object Toolkit | <= 3.2 |
| Invensys | Foxboro Control Software | <= 3.1 |
| Invensys | Infusion Control Edition | <= 2.5 |
| Invensys | Infusion Foundation Edition | <= 2.5 |
| Invensys | Infusion Scada | <= 2.5 |
| Invensys | Intouch | 10.0 |
| Invensys | Wonderware Application Server | <= 2012 |
| Invensys | Wonderware Information Server | <= 4.5 |
Related Weaknesses (CWE)
References
- http://osvdb.org/80891
- http://secunia.com/advisories/48675
- http://www.us-cert.gov/control_systems/pdf/ICSA-12-081-01.pdfUS Government Resource
- https://wdnresource.wonderware.com/support/docs/_SecurityBulletins/Security_Bull
- http://osvdb.org/80891
- http://secunia.com/advisories/48675
- http://www.us-cert.gov/control_systems/pdf/ICSA-12-081-01.pdfUS Government Resource
- https://wdnresource.wonderware.com/support/docs/_SecurityBulletins/Security_Bull
FAQ
What is CVE-2012-0257?
CVE-2012-0257 is a vulnerability with a CVSS score of 6.8 (MEDIUM). Heap-based buffer overflow in the WWCabFile ActiveX component in the Wonderware System Platform in Invensys Wonderware Application Server 2012 and earlier, Foxboro Control Software 3.1 and earlier, In...
How severe is CVE-2012-0257?
CVE-2012-0257 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2012-0257?
Check the references section above for vendor advisories and patch information. Affected products include: Invensys Archestra Application Object Toolkit, Invensys Foxboro Control Software, Invensys Infusion Control Edition, Invensys Infusion Foundation Edition, Invensys Infusion Scada.