Invensys Process Systems Information for VU#190617

LiveData ICCP Server heap buffer overflow vulnerability

Status

Affected

Vendor Statement

LiveData ICCP Problem Report and Fix:  CERT VU#190617

June 18, 2006

Invensys is committed to ensuring that our customers and employees are kept current on issues that might affect or improve system operation. We are dedicated to focusing on product, application and service availability and reliability.

This customer notification is provided to you for informational purposes only. Invensys has directly contacted the customers that may be affected by the situation described.

Background

The situation described below involves a third party product used in a limited number of I/A Series DCS and I/A Series SCADA, and Wonderware/InFusion customer installations. It also involves a United States government agency named in the following paragraphs.

LiveData is a vendor located in Cambridge, MA, who makes a product called "Live RTI Server". This product in our usage supports a protocol called "ICCP", or Inter Control Center Protocol. We supply an RTI interface from the various platforms we support to the LiveData Live RTI Server. This interface is used to send and receive realtime data from the host system (I/A Series, FoxSCADA, or Wonderware/InFusion) to/from the remote system(s).

The United States Computer Emergency Readiness Team (US-CERT) is a partnership between the Department of Homeland Security and the public and private sectors. Established in 2003 to protect the nation's Internet infrastructure, US-CERT coordinates defense against and responses to cyber attacks across the nation.

Situation

US-CERT has published Vulnerability Note VU#190617 on its website, relating to a potential problem that may be encountered with the LiveData ICCP Server software.  LiveData has addressed the issue in an updated release of LiveData ICCP Server (version 5.00.035).

A specifically crafted network packet targeting LiveData Server's RFC 1006 network interface may lead to a heap-buffer overflow condition and eventual crash of LiveData Server.  A remote attacker with network access to a LiveData Server implementation could exploit this vulnerability to crash LiveData Server.

No customer, to LiveData's knowledge, has experienced such an attack, but LiveData takes such possibilities very seriously. LiveData has identified Invensys as an impacted Vendor.

In turn, Invensys has identified our customers that may be impacted, of which all have been notified and instructed on acquiring and implementing the latest version of LiveData ICCP Server (version 500.035).

You may view the CERT report in detail at:

http://www.kb.cert.org/vuls/id/190617

For Information

If you have any questions regarding this notification, please contact your local Service Representative or the Invensys Customer Satisfaction Center (CSC) at


<mailto:ips.csc@invensys.com>

or telephone:

            USA: 1-866-746-6477 or 1-508-549-2424 (International + 1 508-549-2424).

            Europe, the Middle East and Africa: +31 35 54 84125.

            Asia-Pacific: +65 6829 8899.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.