Vulnerability Note VU#138633

Invensys Wonderware InTouch creates insecure NetDDE share

Dynamic Data Exchange (DDE) was designed to allow Microsoft Windows applications to share data. NetDDE is an extension to DDE that was developed by Wonderware. NetDDE allows communications with local DDE applications and with remote NetDDE agents using NetBIOS. NetDDE is not supported in Windows Vista, but is included in Windows NT, 2000, XP, and Server 2003.

InTouch 8.0 creates a universal NetDDE share. The permissions applied to the share may allow a remote attacker to execute arbitrary programs. Windows access permissions apply to NetDDE connections, however if an attacker can obtain valid credentials, or possibly if anonymous connections are enabled, the attacker could connect to the NetDDE share and execute programs.

Other vendors may also create insecure NetDDE shares.

II. Impact

This issue has been addressed in Wonderware InTouch version 9 and later. Wonderware administrators with active support contracts who do not want to upgrade can get an updated version of Wonderware 8.0. Wonderware Tech Alert 98 contains information about obtaining fixed software. Wonderware administrators can also contact Wonderware for more information about obtaining updates.

Please see the Systems Affected section below for information about other vendors.

Disable NetDDE

If NetDDE is not required, disable the Network DDE and Network DDE DSDM services.

Limit NetDDE share privileges

If NetDDE is required, configure shares to have the least necessary privileges. From Digital Bond: "NetDDE allows a system to limit access to specific applications, documents, and even portions of the documents. Access and permissions can be set by user or group as well. The key is to avoid the wide open share like seen in the *|*." Also, unless absolutely required, do not configure anonymous users to be members of the Everyone group (see KB 278259 for more information).

Restrict NetDDE access

Per Microsoft Security Bulletin MS04-031 (which describes an unrelated NetDDE vulnerability in Windows), blocking the below ports at perimeter firewalls can prevent remote NetDDE connections (as well as NetBIOS and SMB connections).

• Ports 135/udp, 137/udp, 138/udp, 445/udp, 135/tcp, 139/tcp, 445/tcp, and 593/tcp
• All unsolicited inbound traffic on ports greater than 1024
• Any other specifically configured RPC port

http://us.wonderware.com/aboutus/whoweare/contactus.htm
http://pacwest.wonderware.com/web/News/NewsDetails.aspx?NewsThreadID=2&NewsID=201804
http://blogs.msdn.com/nickkramer/archive/2006/04/18/577962.aspx
http://msdn2.microsoft.com/en-us/library/ms648711.aspx
http://support.microsoft.com/default.aspx?scid=kb;en-us;125703
http://lists.immunitysec.com/pipermail/dailydave/2004-October/001014.html
http://www.digitalbond.com/index.php/2007/11/19/wonderware-intouch-80-netdde-vulnerability-s4-preview/
http://secunia.com/advisories/27751/
http://www.digitalbond.com/index.php/2008/01/29/vulnerable-netdde-shares-lead-to-complete-system-compromise/
http://www.digitalbond.com/wiki/index.php/Invensys_Wonderware_InTouch_creates_insecure_NetDDE_share
http://technet2.microsoft.com/windowsserver/en/library/2c82586e-bd58-42b7-9976-228a23721e351033.mspx
http://support.microsoft.com/kb/278259
http://support.microsoft.com/kb/243330

Credit

This vulnerability was reported by Neutralbit with assistance from Digital Bond.

This document was written by Ryan Giobbi.

Other Information

If you have feedback, comments, or additional information about this vulnerability, please send us email.