Trihedral VTScada Integer Overflow Denial of Service Vulnerability

December 12th, 2014

Vulnerability Details


This vulnerability allows remote attackers to cause a denial of service to vulnerable installations of Trihedral VTScada. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the included HTTP server. By providing a small negative content length, an attacker is able to cause an integer overflow, resulting in the allocation of too small a buffer. The resulting heap overwrite will terminate the HTTP server.

Additional Details

Trihedral Engineering Ltd has issued an update to correct this vulnerability. More details can be found at:
https://ics-cert.us-cert.gov/advisories/ICSA-14-343-02

Disclosure Timeline

  • 2014-11-19 - Vulnerability reported to vendor
  • 2014-12-12 - Coordinated public release of advisory

Credit

Anonymous

Back to Advisories