Ecava Fixes IntegraXor Vulnerabilities

Thursday, April 14, 2016 @ 04:04 PM gHale


Ecava produced a new version of IntegraXor to mitigate multiple vulnerabilities in the application, according to a report on ICS-CERT.

Independent security researcher Marcus Richerson, who along with Steven Seeley of Source Incite working with Trend Micro’s Zero Day Initiative, tested the new version to validate it resolves all the remotely exploitable vulnerabilities, except for one incomplete fix, which Ecava plans to fully address in an upcoming release.

RELATED STORIES
Siemens glibc Library Vulnerability
Siemens SCALANCE S613 DoS Hole
Siemens Working on Patch for DROWN
Uniformance PHD DoS Mitigated

Exploits that target these vulnerabilities are publicly available.

IntegraXor, versions prior to Version 5.0, build 4522 suffer from the issues.

Successful exploitation of these vulnerabilities may allow a remote attacker to gain full access to an affected system.

Ecava Sdn Bhd (Ecava) is a Malaysia-based software development company that provides the IntegraXor SCADA product. Ecava specializes in factory and process automation solutions.

The affected product, IntegraXor, is a suite of tools used to create and run a web-based human‑machine interface for a SCADA system. IntegraXor deploys across several sectors including critical manufacturing, energy, and water and wastewater systems. Ecava estimates this product sees use in multiple countries, with the largest installations based in the United Kingdom, the United States, Australia, Poland, Canada, and Estonia.

IntegraXor HMI web server transmits unencrypted sensitive information.

CVE-2016-2306 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

In addition, the application is vulnerable to Document Model Object (DMO)-based cross-site scripting, which can end up exploited by including malicious HTML and Javascript into the URL. If the HMI operator were using the SCADA application and were to click a specially crafted link or go to a malicious web site, then an attacker may be able to perform malicious functions on the SCADA software using Javascript.

CVE-2016-2305 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.7.

In one other vulnerability, the application does not set the HTTPOnly flag on the session cookie, which may allow a remote attacker to steal the cookie and resend it to potentially log in as an administrative user.

CVE-2016-2304 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.1.

The IntegraXor HMI does not neutralize special elements in inputs.

CVE-2016-2303 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.

Also, the application does not properly check whether a user has authenticated prior to accessing some sensitive web pages.

CVE-2016-2300 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.5.

The application is vulnerable to unauthenticated SQL injection which may allow an attacker to remotely execute code in certain situations.

CVE-2016-2299 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.

The application uses detailed error messages and attacker could use to extract information that could end up used in an attack.

CVE-2016-2302 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.

The application is vulnerable to authenticated SQL injection that may allow an attacker to extract information about the database and further exploit the application.

CVE-2016-2301 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.3.

Exploits that target these vulnerabilities are publicly available. On top of that, an attacker with a low skill would be able to exploit these vulnerabilities.

Ecava created a new version that addresses the reported vulnerabilities, as well as some identified security risks, in Version 5.0, build 4522. Ecava resolved the authenticated SQL injection associated with operator and supervisor accounts. Ecava is planning to address the remaining risk to administrative accounts in an upcoming release. Click here for Ecava’s new version of the IntegraXor software, Version 5.0, build 4522.

Ecava also released a vulnerability note.