Zero Days Here Again

Tuesday, March 29, 2011 @ 11:03 AM gHale

There is a Structured Query Language (SQL) vulnerability in the Ecava IntegraXor human machine interface (HMI) product that could allow data leakage, data manipulation, and remote code execution against the backend host running the database service, according to ICS-CERT.

Meanwhile in another vulnerability, security specialist Ruben Santamarta published code demonstrating a flaw in the web-based virtualization software WebAccess from BroadWin. The code allows a flaw in WebAccess Network Service’s RPC interface to allow code to inject in, according to Santamarta. He informed ICS-CERT who then contacted the vendor.

In the Ecava case, ICS-CERT, who received a report from independent security researcher Dan Rosenberg with Virtual Security Research (VSR), coordinated with Ecava and verified the vulnerability and developed a patched release of IntegraXor (Build 4050) to address the vulnerability. ICS-CERT and the independent security researcher validated the patch.

The vulnerability affects all IntegraXor versions prior to Version 3.60 (Build 4032).

ICS-CERT recommended organizations evaluate the impact of this vulnerability based on their environment, architecture, and product implementation.

Ecava Sdn Bhda , a Malaysia-based software development company that produces the IntegraXor product, specializes in factory and process automation solutions.

IntegraXor is a suite of tools used to create and run a web-based HMI interface for Supervisory Control and Data Acquisition (SCADA) systems. IntegraXor runs in several areas of process control in 38 countries around the world with the largest installed base in the United Kingdom, United States, Australia, Poland, Canada, and Estonia.

IntegraXor is vulnerable to the execution of an unauthenticated SQL statement. An attacker may execute arbitrary SQL statements against the IntegraXor database by sending a specially crafted HTTP POST request. Exploitation of this vulnerability results in potential data leakage, data manipulation, and remote code execution against the backend host running the database service.

An attacker could exploit this vulnerability from a remote machine.

While there is no known incident, an attacker with moderate skill level could exploit this vulnerability from a remote machine.

ICS-CERT recommends users of Ecava IntegraXor take the following mitigation steps:
• Use the following link to obtain the patched version of Ecava IntegraXor (Build 4050). For more information, customers should contact Ecava support at support@integraxor.com.

• Minimize network exposure for all control system devices; critical devices should not directly face the Internet. Locate control system networks and remote devices behind firewalls and isolate them from the business network. If remote access is required, employ secure methods such as Virtual Private Networks (VPNs).

In the BroadWin WebAccess situation, the software is a web-based HMI platform used in energy, manufacturing, and building automation applications. WebAccess sees use throughout Asia, North America, North Africa, and the Middle East. Advantech also sells BroadWin software.

ICS-CERT said the vendor was not able to confirm the flaw. Santamarta later wrote the vendor denied the flaw’s existence, so he published the exploit.

In lieu of a patch, ICS-CERT recommends BroadWin users protect their systems with a firewall and use VPNs for remote access.

ICS-CERT is continuing to work with BroadWin to develop a solution to mitigate this vulnerability.