New SCADA Warning from CERT

Friday, May 13, 2011 @ 12:05 PM gHale

By Gregory Hale
A new warning is out for oil refineries, power plants, and other industrial facilities that a bug in a SCADA software package could allow attackers to take control of their computer systems.

The vulnerability in the Genesis32 and BizViz products made by ICONICS could allow attackers to remotely execute malicious code on machines that run these SCADA programs, the Industrial Control Systems U.S. Computer Emergency Readiness Team (ICS-CERT) warned Wednesday. SCADA systems control equipment used in factories, water, wastewater and electric utilities, and oil and gas refineries. ICONICS was on a list released in March of companies with vulnerable SCADA systems.

The vulnerability stems from a stack-overflow bug found in an ActiveX control used by the SCADA programs and an attacker can exploit it and gain command-execution capability, researchers from Australasia-based said.

“By passing a specially crafted string to the ‘SetActiveXGUID’ method, it is possible to overflow a static buffer and execute arbitrary code on the user’s machine with the privileges of the logged on user,” the researchers said. They included a proof-of-concept exploit written in JavaScript.

“This is new and was done by other researchers. Luigi focused on buffer and stack overflows going after vulnerabilities within the ICONCIS server services using GenBroker on TCP/38080,” said Joel Langill, chief technology officer at SCADAHacker. “This new set hits the web client, which is pretty powerful, because these often exist on untrusted networks. A perfect social engineering vector for ICS.”

“Just shows that ICS users need to be very diligent in keeping on top of these annouuncements and patch releases,” Langill said.

“Control systems are the target of disclosure and the resulting potential attacks,” he said.

ICS-CERT confirmed ICONICS issued a patch that addresses this vulnerability. In addition, ICONICS confirmed validated this patch fully resolves this vulnerability. According to the advisory, version 9.22 of Genesis32 and BizViz isn’t susceptible to the attack.

ICONICS estimated 55% of GENESIS32 installations are in the U.S., 45% are in Europe, and 5% are in Asia.

US CERT recommends that users of SCADA software take basic precautions to protect themselves from security breaches. The measures include isolating critical devices from the Internet and locating networks and remote devices behind firewalls.

In March, Italian security specialist Luigi Auriemma, who mainly focuses on detecting holes in games and media players, released a list of 34 vulnerabilities in SCADA products by Siemens Tecnomatix (FactoryLink), ICONICS (Genesis 32 and 64), 7-Technologies (IGSS) and DATAC (RealWin).

Auriemma’s list includes the spectrum of potential security issues from remote file downloads and unauthorized file uploads to targeted attacks on services via integer, buffer and heap overflows.

Leave a Reply

You must be logged in to post a comment.