Vulnerability Note VU#660688
SCADA Engine BACnet OPC Client buffer overflow vulnerability
SCADA Engine BACnet OPC Client contains a buffer overflow when parsing .csv files. This vulnerability may allow an attacker to execute arbitrary code.
According to SCADA Engine website: "The SCADA Engine BACnet OPC Server is a server that provides data access (DA), Alarms and Events (AE), and Historical Data Access (HDA) between OPC clients and BACnet-compliant devices." SCADA Engine BACnet OPC Client contains a stack-based buffer overflow when parsing .csv files. The vulnerability is caused by a boundary error in the WTclient.dll library when preparing a status log message.
For additional information see ICS-CERT Advisory ICSA-10-264-01.
An attacker could exploit the vulnerability by tricking a user into opening a crafted .csv file, leading to execution of arbitrary code. Failed execution of this vulnerability may also lead to denial-of-service conditions.
Do not access .csv files from untrusted sources
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|SCADA Engine||Affected||-||19 Jan 2011|
CVSS Metrics (Learn More)
Thanks to Jeremy Brown for reporting this vulnerability to ICS-CERT.
This document was written by Michael Orlando.
- CVE IDs: Unknown
- Date Public: 21 Sep 2010
- Date First Published: 03 Feb 2011
- Date Last Updated: 03 Feb 2011
- Severity Metric: 3.22
- Document Revision: 18
If you have feedback, comments, or additional information about this vulnerability, please send us email.