![SWTB_logo_rgb_color_mode-wPadding-2000x961.png]](https://help.softwaretoolbox.com/hs-fs/hubfs/SWTB_General/Images/Press_Kit/SWTB_logo_rgb_color_mode-wPadding-2000x961.png?height=50&name=SWTB_logo_rgb_color_mode-wPadding-2000x961.png){kind=logo}
Wonderware Cyber Security Notice ID LFSEC00000038 and ICS-CERT Vulnerability ICS-ALERT-12-136-01 for SuiteLink
The only Software Toolbox products affected by this patch are TOP Server and OmniServer, both via the SuiteLink interface.
Software Toolbox has been made aware by Invensys that a denial of service type vulnerability, including exploit code has been posted on the web against the Wonderware SuiteLink service, which is a common component of the System Platform, InTouch and InSQL (Historian) and used to transport value, time and quality of digital I/O information and extensive diagnostics with high throughput between industrial devices, 3rd party and Wonderware products.
Invensys has confirmed the vulnerability exists for Wonderware products built prior to 2011. Slssvc.exe can be crashed when a very long and unallocatable Unicode string is sent to the service remotely. Mitigations for Wonderware and other products that carry SuiteLink have been identified for all supported versions.
TOP Server (V4.5 and older) and OmniServer (V2.0 and newer) will automatically install the SuiteLink option upon detecting certain Wonderware software components on the PC. Starting with V5.0, TOP Server requires that the SuiteLink interface be selected during installation.
This vulnerability is for the Wonderware software components, not for TOP Server or OmniServer specifically. These Wonderware components are simply used by TOP Server or OmniServer when Wonderware communicates to them using the SuiteLink interface.
To determine if a system is vulnerable, inspect the file version of the SuiteLink service located at “\Program Files\Common Files\Archestra\slssvc.exe” on 32-bit OS and “\Program Files (x86)\Common Files\Archestra\slssvc.exe” on 64-bit OS. If the file version is:
- Equal to or Less than 54.x.x.x, then the system is vulnerable.
- Greater than or equal to 58.x.x.x then the system is NOT vulnerable.
- Versions 55-57 have not been released to market so you will not encounter those.
The SuiteLink version shipped with InTouch 2012 and WAS 2012 is not vulnerable to a crash but will show excessive resource consumption if exploited.
Invensys is preparing a Security Update that mitigates the identified denial of service vulnerability and can be installed on all supported versions of Wonderware products that use the SuiteLink service. Since this is a common component, Wonderware recommends the installation of this security update on all Wonderware product nodes that use SuiteLink communication.
Mitigation Recommendations
Customers that require an immediate mitigation may upgrade to the following Wonderware product versions or install the following Wonderware products on any affected node to update SuiteLink and fix this vulnerability:
- InTouch/Wonderware Application Server (IT 10.5, WAS 3.5) or later
- DAServer Runtime Components Upgrade 3.0 SP2, 3.0 SP3 or higher for any DAServer, DI Object or third-party DAServer installation.