Important: CSWorks security release 2.5.5233.0
Date: May 8, 2014
Subject: SQL injection vulnerability in CSWorks LiveData Service
Versions: 2.5.5050.0 and earlier
Summary: Remote attackers can achieve remote code execution on the server running CSWorks LiveData Service via SQL injection on.
CSWorks LiveData Service 2.5.5050.0 and earlier allows remote attackers to perform SQL injection via CSWorks LiveData web API and achieve remote code execution using mySQL "INTO OUTFILE" feature.
When using SQL database as CSWorks data source, make sure CSWorks is using the database engine account that does not allow perform actions that go beyond the scope of CSWorks LiveData operations - selecting and updating records in specific SQL tables. Under no circumstances should administrators give root access to CSWorks. Also, administrators should not allow unauthorized users to access CSWorks web API.
CSWorks 2.5.5233.0 has been issued as security release to correct the defect. CSWorks administrators running affected versions are advised to (in the order of importance):
- verify CSWorks LiveData Service SQL database settings;
- verify CSWorks web API access policy;
- upgrade to 2.5.5233.0 (available at CSWorks web site http://www.controlsystemworks.com/DownloadDescription.aspx).
The vulnerability was reported by John Leitch working with HP Zero Day Initiative
- Server: REST History Reader Web Service
- HTML5 Historical Trend Demo
- HTML5 support
- RESTful LiveData web service
CSWorks LiveData client now runs on any platform that supports HTML5 browsing with SVG graphics and animations.
- OPC provider: ignoreOpcQuality setting
- BACnet IP provider: whoIsInterval, networkId, serverDeviceId, vendorId, keepAliveTimeout settings
- DTO: template parameter strings now can be escaped to allow backslash, equal signs and semicolons in the parameter values
- LiveData Service: no need to restart the service after changing data source configuration
- LiveData Service: sampleBufferLength setting is optional now
Starting from version 2.1, CSWorks installation package includes Modbus TCP data source provider. Now you can build web-based solutions that can communicate with Modbus devices - controllers, modules, thermostats - any kind of hardware that supports Modbus. Here is a quick demonstration.
We will need:
- room thermostat that supports Modbus RTU (in this demo we use Tstat6 thermostat provided by Temco Controls);
- Modbus TCP to serial adapter;
- local network;
- desktop computer (server);
- notebook computer (client).
We have to use Modbus TCP to serial adapter, because CSWorks supports only TCP version of the Modbus protocol, and our thermostat provides only Modbus RTU (good old RS-485) connectivity. Make sure that:
- both computers and Modbus adapter are connected to your local network;
- thermostat is connected to the adapter via RS-485.
The following software will be used:
- CSWorks 2.1 on the server; full CSWorks version is required, CSWorks Light will not let clients from other computers access the application;
- Microsoft VisualStudio 2010 on the server;
- web browser on the notebook.
Build demo application
On the server computer, open VisualStudio project at C:\Program Files\CSWorks\Demo\Src\ModbusThermostatIntegrationDemo\ and build it. Please note that these connection points used in this sample are specific to the particular thermostat, your connections points will be different - see Modbus integration guide for your thermostat. Build Release|x86 (for 32-bit installations) or Release|x64 (for 64-bit installations) configuration. Build script will place the compiled application file (CSWorks.Client.ModbusThermostatIntegrationDemo.xap) and hosting HTML file (ModbusThermostatIntegrationDemo.html) to the correspondent locations under C:\Program Files\CSWorks\Demo\Web\. Your client demo application is ready.
Add LiveData source
CSWorks LiveData Service must be aware of the new data source - Modbus device. Our client application will connect to a data source called "Tstat6" (see MainPage.xaml of the client application), so we have to add a new data source with this name. Add the following piece to the LiveData Service configuration file (see C:\Program Files\CSWorks\Framework\Server\CSWorks.Server.LiveDataService.exe.config):
<modbusTcpLiveDataSource name="Tstat6" ipPort="502" ipAddress="192.168.1.71" unitId="254" sampleBufferLength="16" updateRate="500">
<template name="analogOutputHoldingRegisterInt16" type="Int16" readPath="AnalogOutputHoldingRegister(($address))" canWrite="true" />
This demo works only with Analog Output Holding Registers, so there is only one template is defined for this data source. Please make sure that unitId attribute corresponds to the device identifier of the thermostat, otherwise CSWorks may not be able to communicate to it. When done, restart CSWorks LiveData Service.
Configure LiveData web service
LiveData web service must be aware of the "Tstat6" data source as well. Add an antry for "Tstat6" to the LiveData Web Service configuration file (C:\Program Files\CSWorks\Demo\Web\LiveDataWebService\web.config):
<liveDataPartition name="partition1" primaryLiveDataServer="liveDataServer_1_primary" secondaryLiveDataServer="">
Run the application
On the client notebook, open a browser and navigate to the CSWorks application page:
After a few seconds of initialization, you will see the demo reading values from the thermostat (click on the image to enlarge it):
Congratulations! Your thermostat is web-enabled now.
- SQL LiveData provider tested with PostgreSQL 9.0.4, npgsql provider 22.214.171.124
- Server: Modbus TCP support
- Client: Modbus thermostat integration demo
Date: October 27, 2011
Subject: DoS vulnerability in CSWorks LiveData Service
Versions: 2.0.4115.0 and earlier
Summary: Remote attackers can perform a denial of service(software crash).
CSWorks LiveData Service 2.0.4115.0 and earlier allows remote attackers to cause a denial of service after sending crafted TCP
packets. Isolating communication between CSWorks LiveData Service and web servers that accept requests from client applications mitigates the issue.
CSWorks 2.0.4115.1 has been issued as security release to correct the defect. CSWorks administrators running affected versions are advised to upgrade to 2.0.4115.1 as soon as possible. The security release can be downloaded from CSWorks web site http://www.controlsystemworks.com/DownloadDescription.aspx.
The vulnerability was reported by Kuang-Chun Hung, Security Research and Service Institute - Information and Communication Security Technology Center (ICST), Taiwan R.O.C
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3996 (will be available after confirmation by MITRE)
http://jvn.jp/en/jp/JVN98649286/index.html (will be available after confirmation by JPCERT/CC)
|Recently, we have tested CSWorks SQL LiveData provider (version 2.0.4115.0) against PostgreSQL database (connecting using npgsql 126.96.36.199), and it worked fine. Here are the settings we used in the CSWorks.Server.LiveDataService.config.
<!-- Make sure that npgsql and its dependencies are accessible -->
<add invariant="npgsql" name="PostreSQL Provider for .NET"
description=".NET PostreSQL Provider for .NET"
type="Npgsql.NpgsqlFactory, npgsql, Version=188.8.131.52, Culture=neutral, PublicKeyToken=5d8b90d52f46fda7" />
Data source description:
<sqlLiveDataSource name="Database01" sampleBufferLength="16" sqlProviderInvariantName="npgsql"
updateRate="1000" maxQueryLength="65535" queryDelimiter=";" useZeroAndOneForBoolean="false">
Yes, you can use boolean data type to store discrete values, see our sample PostgreSQL table definition:
CREATE TABLE measurements(
PointName varchar(64) NULL,
Sensor1 int2 NULL,
Sensor2 smallint NULL,
Sensor4 int NULL,
Sensor8 bigint NULL,
Sensor1u int2 NULL,
Sensor2u smallint NULL,
Sensor4u int NULL,
Sensor8u bigint NULL,
Sensor10 float NULL,
Sensor50 varchar(64) NULL,
Sensor100 boolean NULL)
insert into measurements values('Point101', 1,2,4,8,1,2,4,8,8.0,'TestString',true)
Another SQL database under CSWorks' belt!