Vulnerability Note VU#138633
Invensys Wonderware InTouch creates insecure NetDDE share
Invensys Wonderware InTouch 8.0 creates a NetDDE share that could allow an attacker to run arbitrary programs.
Invensys Wonderware InTouch HMI Software is used in Supervisory Control And Data Acquisition (SCADA) systems.
Dynamic Data Exchange (DDE) was designed to allow Microsoft Windows applications to share data. NetDDE is an extension to DDE that was developed by Wonderware. NetDDE allows communications with local DDE applications and with remote NetDDE agents using NetBIOS. NetDDE is not supported in Windows Vista, but is included in Windows NT, 2000, XP, and Server 2003.
A remote attacker may be able to execute any application that accepts NetDDE connections. This could allow an attacker to gain control of the system running NetDDE
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Invensys||Affected||02 Oct 2007||27 Nov 2007|
|Takebishi||Affected||-||25 Feb 2008|
CVSS Metrics (Learn More)
This vulnerability was reported by Neutralbit with assistance from Digital Bond .
This document was written by Ryan Giobbi.
- CVE IDs: CVE-2007-6033
- Date Public: 19 Nov 2007
- Date First Published: 19 Nov 2007
- Date Last Updated: 25 Feb 2008
- Severity Metric: 0.57
- Document Revision: 30
If you have feedback, comments, or additional information about this vulnerability, please send us email.