Energy Sector Software Mitigations

Monday, December 31, 2012 @ 11:12 AM gHale

There are mitigation details available for a vulnerability that impacts the i-GEN opLYNX Central software, which could lead to a partial leakage of information and access to system settings, according to a report on ICS-CERT.

The mitigations work through an authentication bypass vulnerability in i-GEN Solutions opLYNX Central application.

Firmware Fix for Photovoltaic System
Mitigations for Siemens ALM Hole
Siemens, Invensys Mitigations
RuggedCom Releases New ROS Version

Independent researcher Anthony Cicalla, who found the remotely exploitable vulnerability, tested the new version to validate it resolves the vulnerability. This vulnerability impacts the energy sector, mainly in Canada.

All opLYNX versions from 2.01.8 and prior suffer from the issue.

Exploitation of this vulnerability could allow access to configuration settings and other information in the opLYNX Central application.

i-GEN Solutions Corp. is a Canada-based company that provides human-machine interface (HMI), supervisory control and data acquisition (SCADA), and plant historian software to oil and gas, pipelines, chemicals, utilities, and waste water management facilities around the world.

The affected product, opLYNX Central, is a Web-based application, which i-GEN Solutions said mainly sees deployment in the energy sector in Canada.

The i-GEN opLYNX Central system provides an interface for remote connections. Publicly available tools to disable Javascript can bypass authentication on the opLYNX Central interface. This allows a user to access configuration settings and other information. CVE-2012-4688 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.5

An attacker with a low skill would be able to exploit this vulnerability with publicly available tools.

i-GEN Solutions released a new version, opLYNX 2.01.9, that resolves this vulnerability. The new version ends up automatically applied upon login.

Leave a Reply

You must be logged in to post a comment.