CVE-2011-3499
published 2011-09-16CVE-2011-3499: Progea Movicon / PowerHMI 11.2.1085 and earlier allows remote attackers to cause a denial of service (memory corruption and crash) and possibly execute…
PriorityP356critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
15.90%
96.5th percentile
Progea Movicon / PowerHMI 11.2.1085 and earlier allows remote attackers to cause a denial of service (memory corruption and crash) and possibly execute arbitrary code via an EIDP packet with a large size field, which writes a zero byte to an arbitrary memory location.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| progea | movicon_powerhmi | <= 11.2.1085 | — |
| progea | movicon_powerhmi | — | — |
| progea | movicon_powerhmi | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
c6041100 (mov byte ptr [ecx+edx],0) — null-byte write at address > 0x7fffffff
- →CVE-2011-3499 is triggered via HTTP on port 808/TCP carrying a tunnelled EIDP packet with an oversized size field; monitor for anomalously large EIDP size fields in HTTP traffic destined for port 808. ↗
- →The memory corruption results in a null-byte write at an address above 0x7FFFFFFF; crash telemetry or access-violation logs showing writes to addresses in the 0x80000000+ range from the Movicon process are indicative of exploitation. ↗
- →Public PoC payload files (movicon_1.dat, movicon_3.dat) and the udpsz tool are known to be used against port 808/TCP; detect delivery of these files or execution of udpsz targeting port 808. ↗
- →The EIDP protocol normally operates on port 12233/TCP; exploitation of CVE-2011-3499 routes EIDP packets through port 808/TCP HTTP — EIDP-like traffic on port 808 is anomalous and should be alerted on. ↗
- ·Exploitation of CVE-2011-3499 via the native EIDP port (12233/TCP) does not appear to work; the bug is only reliably triggered when EIDP packets are tunnelled through the HTTP service on port 808/TCP. ↗
- ·The null-byte write is constrained to memory addresses above 0x7FFFFFFF, which limits reliable arbitrary-code-execution on 32-bit Windows but may be more impactful in 64-bit environments. ↗
- ·The vulnerability is only present when the Movicon/PowerHMI software is actively running a project (i.e., the HTTP listener on port 808 is active); deployments not running a project are not exposed. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qm8f-5cf9-f84f: Progea Movicon / PowerHMI 11
ghsa_unreviewed·2022-05-17
CVE-2011-3499 [HIGH] CWE-119 GHSA-qm8f-5cf9-f84f: Progea Movicon / PowerHMI 11
Progea Movicon / PowerHMI 11.2.1085 and earlier allows remote attackers to cause a denial of service (memory corruption and crash) and possibly execute arbitrary code via an EIDP packet with a large size field, which writes a zero byte to an arbitrary memory location.
CISA ICS
Progea Movicon Power HMI Vulnerabilities
cisa_ics·2011-09-13
Progea Movicon Power HMI Vulnerabilities
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Progea Movicon Power HMI Vulnerabilities
Last RevisedJanuary 24, 2014
Alert CodeICSA-11-294-01
## Overview
This advisory is a follow-up to the Alert titled “ICS-ALERT-11-256-01 – Progea Movicon PowerHMI Vulnerabilities” that was published September 13, 2011, on the ICS-CERT web page.
Two buffer overflow and one memory corruption vulnerability were disclosed affecting the Progea Movicon’s PowerHMI product.
ICS-CERT has coordinated these vulnerabilities with Progea and they have produced a hotfix that mitigates these vulnerabilities.
## Affected Products
The following products
No detection rules found.
No writeups or analysis indexed.
http://aluigi.altervista.org/adv/movicon_3-adv.txthttp://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-01.pdfhttps://exchange.xforce.ibmcloud.com/vulnerabilities/69789http://aluigi.altervista.org/adv/movicon_3-adv.txthttp://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-01.pdfhttps://exchange.xforce.ibmcloud.com/vulnerabilities/69789
2011-09-16
Published