All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
This ICS-CERT Advisory is a follow-up to the ICS-CERT Alert titled, “ICS-ALERT-11-080-04—Multiple Vulnerabilities in RealFlex RealWin.”
An independent researcher has published exploit code for seven vulnerabilities identified in RealFlex Technologies’ RealWin 2.1.10 Demo Supervisory Control and Data Acquisition (SCADA) product. Multiple functions listening on Port 910/TCP are susceptible to heap and stacked-based buffer overflow vulnerabilities. The heap and stack buffer overflows may allow an attacker to remotely execute arbitrary code.
RealFlex has released a new version (Version 2.1.12) of their free demo software that mitigates these vulnerabilities.
ICS-CERT has verified that these vulnerabilities do not affect the RealFlex RealWin commercial version and that Version 2.1.12 resolves the vulnerabilities in the demo version.
RealFlex reports that these zero-day vulnerabilities affect Versions 1.06A and earlier of its demo software only. The commercial version of RealWin is not affected.
Successful exploitation of these vulnerabilities can cause the RealWin demo application to crash.
RealFlex Technologies Ltd is a company based in Houston, Texas, that focuses on industrial automation software for many markets including power, oil and gas, water and wastewater, chemical, transportation, and manufacturing. RealWin is a SCADA server product including a human-machine interface that runs on a Windows (XP or newer) platform. For more information on RealFlex and RealWin, visit their website.
The researcher provided reports of seven separate vulnerabilities. Six are stack overflows that can be exploited remotely. The remaining vulnerability is an integer overflow that also can be exploited remotely.
Multiple functions listening on Port 910/TCP are susceptible to these buffer overflow vulnerabilities.
This vulnerability is exploitable from a remote machine.
Existence of Exploit
The researcher has publicly released exploits that specifically target these vulnerabilities.
An attacker would need only basic skills to use the publicly available code to exploit these vulnerabilities.
Users of the demo version of RealFlex RealWin should upgrade to the newest version (2.1.12), which is available at http://realflex.com/download/.
ICS-CERT encourages asset owners to minimize network exposure for all control system devices. Critical devices should not directly face the Internet. Control system networks and remote devices should be located behind firewalls and isolated from the business network. If remote access is required, use secure methods such as Virtual Private Networks (VPNs).
Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
The Control System Security Program also provides a recommended practices section for control systems on the US-CERT website. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
For any questions related to this report, please contact the CISA at:
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.
Please share your thoughts.
We recently updated our anonymous product survey; we'd welcome your feedback.