When the NetDDE share vulnerability in Wonderware’s InTouch 8.0 HMI was announced by US-CERT, we noticed that most dismissed it as just typical control system weak permissions. The same as commonly seen in OPC DCOM configurations. However, the true impact of a weak NetDDE share is much greater than allowing any user to access the control system application.

The NetDDE share vulnerability in InTouch 8.0 and similar weak NetDDE shares in other applications and software utilities allows an attacker to take complete control of the workstation or server and use it to attack other systems in the zone. Essentially it allows an attacker to use any application with a DDE interface, not just a NetDDE interface. An attacker can use the share to have Internet Explorer or Firefox open a web browser page with malicious code; an attacker can upload a Trojan or other program; an attacker can open a Telnet session; an attacker can set a hot key to run a program whenever the key is hit to randomize attacks sent over time; an attacker can …

Subscribers to the site can download Neutralbit’s nbDDE tool that was used to demonstrate the exploits at S4 and the tool documentation. This tool is also an easy way to see if you have any NetDDE shares. Xavier and Lluis from Neutralbit continue to do great work.

While the published vuln deals with InTouch, poorly configured NetDDE shares go beyond InTouch. A lot of asset owners right small programs to use NetDDE to transfer data into an Excel spreadsheet of Access Database. We found ‘guidance’ on the Internet telling people to create the vulnerable share to enable the NetDDE interface.

A number of commercial applications have a NetDDE interface, and we have created a list of all control system applications with a NetDDE interface we could find. Let us know what we missed.

Asset owners should:

1) Determine if they need a NetDDE interface.

2) Disable the NetDDE services if not needed. XP SP2 has these services off by default.

3) If NetDDE is required, implement a least privilege share. NetDDE allows a system to limit access to specific applications, documents, and even portions of the documents. Access and permissions can be set by user or group as well. The key is to avoid the wide open share like seen in the *|*.

Jason has written up a SCADApedia entry on this vulnerability, and there is more detail in the Neutralbit/Digital Bond S4 paper.