Ecava Fixes SCADA Server Holes

Friday, September 12, 2014 @ 01:09 PM gHale

Ecava created a patch that mitigates an improper privilege management vulnerability within the IntegraXor SCADA Server and three other vulnerabilities, according to a report on ICS-CERT.

Alain Homewood, who found three vulnerabilities, tested the patch to validate it resolves the vulnerabilities he identified. Independent researcher Andrea Micalizzi found the improper privilege management vulnerability. All vulnerabilities were remotely exploitable.

Schneider Fixes VAMPSET Buffer Overflow
Sensys Fixes Traffic Sensor Holes
Schneider Fixes Wonderware Holes
CG Automation Fixes Improper Input Validation

The following Ecava products suffer from the issue:
• IntegraXor SCADA Server v4.1.4360 (latest stable release) and earlier versions, and
• IntegraXor SCADA Server v4.1.4392 (latest beta release) and earlier versions.

These vulnerabilities allow an attacker to read and modify files and database records on the Ecava IntegraXor SCADA server. This could allow an attacker to read previously exported reports and files on the server; overwrite reports and files; read and modify records in the database, including tables users do not typically have access to; create large files to cause a denial of service; and write malicious files that can end up leveraged to further attack a system.

Ecava Sdn Bhd (Ecava) is a Malaysia-based software development company that provides the IntegraXor SCADA product. Ecava specializes in factory and process automation solutions.

IntegraXor is a suite of tools used to create and run a web-based human-machine interface for a SCADA system. IntegraXor sees action in several areas of process control in 38 countries, with the largest installations based in the United Kingdom, the United States, Australia, Poland, Canada, and Estonia.

IntegraXor has the ability to export various reports to CSV files. An attacker could manipulate this functionality to read and write any file as an unauthenticated user. This could cause a loss of confidentiality in logs, reports, and configuration settings. Denial of service can also result by creating large-sized files on the server. Malicious files can end up uploaded and leveraged as part of a cross-site request forgery attack against authorized users.

CVE-2014-2375 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 8.3.

Ecava IntegraXor makes use of several back end SQL databases. Reading and writing data to the logging and report databases is less secure because unauthenticated users are able to read logs and be able to read and delete reports. By manipulating SQL queries, an attacker could read arbitrary files from the server, connect to other SQL databases, and read data from tables normally restricted. An attacker could cause a denial of service by writing a large amount of data to the database or by manipulating the SQL query to be computationally complex. In addition with this access, an attacker could manipulate data within the tables, including configuration data.

CVE-2014-2376 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.5.

Ecava IntegraXor includes built-in application tags. These application tags disclose information that could identify full path names of files, which can end up leveraged with the SQL Injection vulnerability.

CVE-2014-2377 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.0.

Ecava IntegraXor’s SQL database allows for the guest user to execute select queries and potentially upload malicious files.

CVE-2014-0786 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.5.

No known public exploits specifically target these vulnerabilities. An attacker with a low skill would be able to exploit these vulnerabilities.

Ecava has produced a patch to address all four vulnerabilities identified. Click here to download the patch.

Leave a Reply

You must be logged in to post a comment.