CVE-2011-3491
published 2011-09-16CVE-2011-3491: Heap-based buffer overflow in Progea Movicon / PowerHMI 11.2.1085 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute…
PriorityP261critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
17.03%
96.7th percentile
Heap-based buffer overflow in Progea Movicon / PowerHMI 11.2.1085 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a negative Content-Length field.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| progea | movicon_powerhmi | <= 11.2.1085 | — |
| progea | movicon_powerhmi | — | — |
| progea | movicon_powerhmi | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for HTTP requests to port 808/TCP containing a negative Content-Length header value, which triggers the heap-based buffer overflow via memcpy(heap_buffer, input, content_length_size). ↗
- →Monitor for oversized HTTP requests (>8192 bytes) to port 808/TCP, which overflow the fixed-size HTTP request buffer. ↗
- →Monitor for EIDP protocol packets with an abnormally large size field tunnelled via the web service on port 808/TCP; these can write a zero byte to arbitrary memory above 0x7fffffff. ↗
- →Public exploit PoC files (movicon_1.dat, movicon_3.dat) and tooling (udpsz) are known to target these vulnerabilities; presence of these filenames on a host or in network traffic is suspicious. ↗
- ·The EIDP memory-corruption bug (CVE-2011-3499) can only be triggered via the port 808/TCP web service tunnel, NOT via the native EIDP port 12233/TCP directly. ↗
- ·The EIDP zero-byte write is constrained to memory addresses above 0x7fffffff, which may limit exploitability to 64-bit environments. ↗
- ·Port 808/TCP is only exposed when the software is actively running a project; detection rules should account for this conditional listener. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2hx9-gcpq-rv3h: Heap-based buffer overflow in Progea Movicon / PowerHMI 11
ghsa_unreviewed·2022-05-17
CVE-2011-3491 [HIGH] CWE-119 GHSA-2hx9-gcpq-rv3h: Heap-based buffer overflow in Progea Movicon / PowerHMI 11
Heap-based buffer overflow in Progea Movicon / PowerHMI 11.2.1085 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a negative Content-Length field.
CISA ICS
Progea Movicon Power HMI Vulnerabilities
cisa_ics·2011-09-13
Progea Movicon Power HMI Vulnerabilities
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Progea Movicon Power HMI Vulnerabilities
Last RevisedJanuary 24, 2014
Alert CodeICSA-11-294-01
## Overview
This advisory is a follow-up to the Alert titled “ICS-ALERT-11-256-01 – Progea Movicon PowerHMI Vulnerabilities” that was published September 13, 2011, on the ICS-CERT web page.
Two buffer overflow and one memory corruption vulnerability were disclosed affecting the Progea Movicon’s PowerHMI product.
ICS-CERT has coordinated these vulnerabilities with Progea and they have produced a hotfix that mitigates these vulnerabilities.
## Affected Products
The following products
No detection rules found.
No writeups or analysis indexed.
http://aluigi.altervista.org/adv/movicon_1-adv.txthttp://osvdb.org/75494http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-01.pdfhttps://exchange.xforce.ibmcloud.com/vulnerabilities/69787http://aluigi.altervista.org/adv/movicon_1-adv.txthttp://osvdb.org/75494http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-01.pdfhttps://exchange.xforce.ibmcloud.com/vulnerabilities/69787
2011-09-16
Published