CSWorks: web-based industrial automation

Of CSWorks and software development

Important: CSWorks security release 2.5.5233.0

clock May 8, 2014 13:51 by author Sergey Sorokin

Important: CSWorks security release 2.5.5233.0
Date: May 8, 2014
Subject: SQL injection vulnerability in CSWorks LiveData Service
Versions: 2.5.5050.0 and earlier
Summary: Remote attackers can achieve remote code execution on the server running CSWorks LiveData Service via SQL injection on.

Description
CSWorks LiveData Service 2.5.5050.0 and earlier allows remote attackers to perform SQL injection via CSWorks LiveData web API and achieve remote code execution using mySQL "INTO OUTFILE" feature.

Mitigation
When using SQL database as CSWorks data source, make sure CSWorks is using the database engine account that does not allow perform actions that go beyond the scope of CSWorks LiveData operations - selecting and updating records in specific SQL tables. Under no circumstances should administrators give root access to CSWorks. Also, administrators should not allow unauthorized users to access CSWorks web API. 

Patch availability

CSWorks 2.5.5233.0 has been issued as security release to correct the defect. CSWorks administrators running affected versions are advised to (in the order of importance):

  • verify CSWorks LiveData Service SQL database settings;
  • verify CSWorks web API access policy;
  • upgrade to 2.5.5233.0 (available at CSWorks web site http://www.controlsystemworks.com/DownloadDescription.aspx).

 

Credits
The vulnerability was reported by John Leitch working with HP Zero Day Initiative

References
http://www.zerodayinitiative.com/advisories/
 



CSWorks 2.5.5050.0 released

clock November 12, 2013 22:55 by author Sergey Sorokin

What's new:

  • Server: REST History Reader Web Service 
  • HTML5 Historical Trend Demo 

 



CSWorks 2.5.4912.0 released

clock June 13, 2013 13:35 by author Sergey Sorokin

What's new:

  • LiveData: improved diagnostics for synchronous Read/Write operations 
  • Client: LiveData HTML5 trend demo 
  • Alarm Server and History Recorder: expression parser improvements, introduced expression tester utility 
  • Licensing: license file in ProgramData folder 


CSWorks 2.5.4770.1 released

clock April 23, 2013 21:31 by author Sergey Sorokin

What's new:

  • Minor fixes in HTML5 client and setup


CSWorks 2.5.4770.0 released

clock February 6, 2013 13:25 by author Sergey Sorokin

What's new:

  • HTML5 support
  • RESTful LiveData web service

CSWorks LiveData client now runs on any platform that supports HTML5 browsing with SVG graphics and animations.



CSWorks 2.1.4560.0 released

clock September 1, 2012 09:49 by author Sergey Sorokin

What's new:

  • OPC provider: ignoreOpcQuality setting
  • BACnet IP provider: whoIsInterval, networkId, serverDeviceId, vendorId, keepAliveTimeout settings
  • DTO: template parameter strings now can be escaped to allow backslash, equal signs and semicolons in the parameter values
  • LiveData Service: no need to restart the service after changing data source configuration
  • LiveData Service: sampleBufferLength setting is optional now

 



Modbus support in CSWorks

clock February 27, 2012 23:51 by author Sergey Sorokin

Starting from version 2.1, CSWorks installation package includes Modbus TCP data source provider. Now you can build web-based solutions that can communicate with Modbus devices - controllers, modules, thermostats - any kind of hardware that supports Modbus. Here is a quick demonstration.

Hardware

We will need:

  • room thermostat that supports Modbus RTU (in this demo we use Tstat6 thermostat provided by Temco Controls);
  • Modbus TCP to serial adapter;
  • local network;
  • desktop computer (server);
  • notebook computer (client).


We have to use Modbus TCP to serial adapter, because CSWorks supports only TCP version of the Modbus protocol, and our thermostat provides only Modbus RTU (good old RS-485) connectivity. Make sure that:

  • both computers and Modbus adapter are connected to your local network;
  • thermostat is connected to the adapter via RS-485.

Modbus thermostat SCADA/HMI diagram

Software

The following software will be used:

  • CSWorks 2.1 on the server; full CSWorks version is required, CSWorks Light will not let clients from other computers access the application;
  • Microsoft VisualStudio 2010 on the server;
  • web browser on the notebook.

Build demo application

On the server computer, open VisualStudio project at C:\Program Files\CSWorks\Demo\Src\ModbusThermostatIntegrationDemo\ and build it. Please note that these connection points used in this sample are specific to the particular thermostat, your connections points will be different - see Modbus integration guide for your thermostat. Build Release|x86 (for 32-bit installations) or Release|x64 (for 64-bit installations) configuration. Build script will place the compiled application file (CSWorks.Client.ModbusThermostatIntegrationDemo.xap) and hosting HTML file (ModbusThermostatIntegrationDemo.html) to the correspondent locations under C:\Program Files\CSWorks\Demo\Web\. Your client demo application is ready.

Add LiveData source

CSWorks LiveData Service must be aware of the new data source - Modbus device. Our client application will connect to a data source called "Tstat6" (see MainPage.xaml of the client application), so we have to add a new data source with this name. Add the following piece to the LiveData Service configuration file (see C:\Program Files\CSWorks\Framework\Server\CSWorks.Server.LiveDataService.exe.config):

<modbusTcpLiveDataSource name="Tstat6" ipPort="502" ipAddress="192.168.1.71" unitId="254" sampleBufferLength="16" updateRate="500">
  <templates>
    <template name="analogOutputHoldingRegisterInt16" type="Int16" readPath="AnalogOutputHoldingRegister(($address))" canWrite="true" />
  </templates>
</modbusTcpLiveDataSource>


This demo works only with Analog Output Holding Registers, so there is only one template is defined for this data source. Please make sure that unitId attribute corresponds to the device identifier of the thermostat, otherwise CSWorks may not be able to communicate to it. When done, restart CSWorks LiveData Service.

Configure LiveData web service

LiveData web service must be aware of the "Tstat6" data source as well. Add an antry for "Tstat6" to the LiveData Web Service configuration file (C:\Program Files\CSWorks\Demo\Web\LiveDataWebService\web.config):

<liveDataTopology>
  <liveDataPartitions>
    <liveDataPartition name="partition1" primaryLiveDataServer="liveDataServer_1_primary" secondaryLiveDataServer="">
       <dataSources>
         ...
         <dataSource name="Tstat6"/>

Run the application

On the client notebook, open a browser and navigate to the CSWorks application page:

http://<server_computer_name_or_ip_address>/CSWorksDemo/ModbusThermostatIntegrationDemo.html

After a few seconds of initialization, you will see the demo reading values from the thermostat (click on the image to enlarge it):

Modbus Thermostat picture

Congratulations! Your thermostat is web-enabled now.



CSWorks 2.1.4386.0 released

clock January 16, 2012 02:00 by author Sergey Sorokin

What's new:

  • SQL LiveData provider tested with PostgreSQL 9.0.4, npgsql provider 2.0.11.91
  • Server: Modbus TCP support
  • Client: Modbus thermostat integration demo

 



Important: CSWorks security release 2.0.4115.1

clock October 27, 2011 11:23 by author Sergey Sorokin

Date: October 27, 2011
Subject: DoS vulnerability in CSWorks LiveData Service
Versions: 2.0.4115.0 and earlier
Summary: Remote attackers can perform a denial of service(software crash).


Description
CSWorks LiveData Service 2.0.4115.0 and earlier allows remote attackers to cause a denial of service after sending crafted TCP
packets. Isolating communication between CSWorks LiveData Service and web servers that accept requests from client applications mitigates the issue.


Patch availability
CSWorks 2.0.4115.1 has been issued as security release to correct the defect. CSWorks administrators running affected versions are advised to upgrade to 2.0.4115.1 as soon as possible. The security release can be downloaded from CSWorks web site http://www.controlsystemworks.com/DownloadDescription.aspx.


Credits

The vulnerability was reported by Kuang-Chun Hung, Security Research and Service Institute - Information and Communication Security Technology Center (ICST), Taiwan R.O.C


References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3996 (will be available after confirmation by MITRE)
http://jvn.jp/en/jp/JVN98649286/index.html (will be available after confirmation by JPCERT/CC)



PostgreSQL support

clock July 29, 2011 16:09 by author Sergey Sorokin
Recently, we have tested CSWorks SQL LiveData provider (version 2.0.4115.0) against PostgreSQL database (connecting using npgsql 2.0.11.91), and it worked fine. Here are the settings we used in the CSWorks.Server.LiveDataService.config.  

Provider reference:

<system.data>
  <DbProviderFactories>
    ...
    <!-- Make sure that npgsql and its dependencies are accessible -->
    <remove invariant="npgsql"/>
    <add invariant="npgsql" name="PostreSQL Provider for .NET"
      description=".NET PostreSQL Provider for .NET"
      type="Npgsql.NpgsqlFactory, npgsql, Version=2.0.11.91, Culture=neutral, PublicKeyToken=5d8b90d52f46fda7" />
  </DbProviderFactories>
</system.data>

Data source description:

<sqlLiveDataSource name="Database01" sampleBufferLength="16" sqlProviderInvariantName="npgsql"
  connectionString="User Id=postgres;Password=pg123!;Server=localhost;Port=5432;Database=postgres;"
  updateRate="1000" maxQueryLength="65535" queryDelimiter=";" useZeroAndOneForBoolean="false">

Yes, you can use boolean data type to store discrete values, see our sample PostgreSQL table definition:

CREATE TABLE measurements(
PointName varchar(64) NULL,
Sensor1 int2 NULL,
Sensor2 smallint NULL,
Sensor4 int NULL,
Sensor8 bigint NULL,
Sensor1u int2 NULL,
Sensor2u smallint NULL,
Sensor4u int NULL,
Sensor8u bigint NULL,
Sensor10 float NULL,
Sensor50 varchar(64) NULL,
Sensor100 boolean NULL)
insert into measurements values('Point101', 1,2,4,8,1,2,4,8,8.0,'TestString',true)

Another SQL database under CSWorks' belt!