CVE-2011-3498
published 2011-09-16CVE-2011-3498: Heap-based buffer overflow in Progea Movicon / PowerHMI 11.2.1085 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute…
PriorityP356critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
10.26%
95.1th percentile
Heap-based buffer overflow in Progea Movicon / PowerHMI 11.2.1085 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long request.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| progea | movicon_powerhmi | <= 11.2.1085 | — |
| progea | movicon_powerhmi | — | — |
| progea | movicon_powerhmi | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect oversized HTTP requests (>8192 bytes) to port 808/TCP targeting Movicon/PowerHMI — the server uses a fixed 8192-byte buffer for incoming HTTP requests, and overflow occurs with longer input. ↗
- →Alert on HTTP requests to port 808/TCP containing a negative Content-Length header value, which triggers the heap overflow via memcpy. ↗
- →Monitor for EIDP protocol packets tunnelled via port 808/TCP HTTP requests with anomalously large size fields; direct exploitation via port 12233/TCP does not appear viable. ↗
- →Flag any inbound connections to port 808/TCP and 12233/TCP on ICS/SCADA hosts running Progea Movicon or PowerHMI, especially from external/internet-facing sources. ↗
- ·The EIDP memory corruption bug (CVE-2011-3499) can only be triggered via port 808/TCP HTTP tunnelling, NOT directly via port 12233/TCP; detection on port 12233 alone is insufficient. ↗
- ·The null-byte write primitive in the EIDP bug is constrained to memory addresses above 0x7FFFFFFF, limiting reliable exploitation primarily to 64-bit environments. ↗
- ·Public PoC exploit files (movicon_1.dat, movicon_3.dat, udpsz) are publicly available; low-skill attackers can achieve DoS while skilled attackers may achieve RCE. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2g79-xp8w-xhhm: Heap-based buffer overflow in Progea Movicon / PowerHMI 11
ghsa_unreviewed·2022-05-17
CVE-2011-3498 [HIGH] CWE-119 GHSA-2g79-xp8w-xhhm: Heap-based buffer overflow in Progea Movicon / PowerHMI 11
Heap-based buffer overflow in Progea Movicon / PowerHMI 11.2.1085 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long request.
CISA ICS
Progea Movicon Power HMI Vulnerabilities
cisa_ics·2011-09-13
Progea Movicon Power HMI Vulnerabilities
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Progea Movicon Power HMI Vulnerabilities
Last RevisedJanuary 24, 2014
Alert CodeICSA-11-294-01
## Overview
This advisory is a follow-up to the Alert titled “ICS-ALERT-11-256-01 – Progea Movicon PowerHMI Vulnerabilities” that was published September 13, 2011, on the ICS-CERT web page.
Two buffer overflow and one memory corruption vulnerability were disclosed affecting the Progea Movicon’s PowerHMI product.
ICS-CERT has coordinated these vulnerabilities with Progea and they have produced a hotfix that mitigates these vulnerabilities.
## Affected Products
The following products
No detection rules found.
No writeups or analysis indexed.
http://aluigi.altervista.org/adv/movicon_1-adv.txthttp://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-01.pdfhttps://exchange.xforce.ibmcloud.com/vulnerabilities/69788http://aluigi.altervista.org/adv/movicon_1-adv.txthttp://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-01.pdfhttps://exchange.xforce.ibmcloud.com/vulnerabilities/69788
2011-09-16
Published