May 12, 2011

Industrial control systems at risk, ICS-CERT warns

Two popular software products used to manage critical infrastructure facilities contain a vulnerability that could allow an attacker to take control of affected systems, the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned Wednesday.

The affected products, Genesis32 and BizViz, both web-based supervisory control and data acquisition (SCADA) systems manufactured by U.S.-based Iconics, contain a vulnerability that could be exploited by an attacker to execute arbitrary code on an affected system, ICS-CERT said. The products are used to manage manufacturing, building automation, oil, gas, water and electric facilities in the United States, Europe and Asia.

Security researchers from Security-Assessment.com, a New Zealand-based penetration testing and vulnerability assessment firm, discovered the flaw – a stack overflow vulnerability affecting an ActiveX control incorporated in both products.

The vulnerability is remotely exploitable, ICS-CERT said. To take advantage of the bug, an attacker would have to employ social engineering techniques to lure users into visiting a malicious site containing custom-crafted JavaScript.

“By passing a specially crafted string to the ‘SetActiveXGUID' method, it is possible to overflow a static buffer and execute arbitrary code on the user's machine with the privileges of the logged on user,” Security-Assessment.com researchers Scott Bell and Blair Strang, wrote in a paper released late last month detailing the issue.

The researchers included proof-of-concept code in their report.

“...stop playing on Facebook for a while and please patch your plant.”

– Johannes Ullrich, chief research officer for the SANS Institute

“Stack overflows are not all that hard to exploit typically, and it doesn't come as a big surprise that according to ICS-CERT, an exploit is publicly available,” Johannes Ullrich, chief research officer for the SANS Institute, wrote in a blog post Thursday.

Iconics has released a patch to address the flaw for both affected products. The company also plans to address the bug with updated versions of Genesis32 and BizViz, due next month.

“If you are running a power plant, a refinery or any other system using Iconics' Genesis32 and BizViz software, stop playing on Facebook for a while and please patch your plant,” Ullrich wrote.

As a best practice, users should also place control system networks and devices behind firewalls and separate them from the business network, Iconics said. In addition, network exposure for control system devices should be limited.

Such devices should not directly face the internet, the company said.

Related Articles
Related Topics
Related Links

Sign up to our newsletters

More in News

House Intelligence Committee OKs amended version of controversial CISPA

Despite the 18-to-2 vote in favor of the bill proposal, privacy advocates likely will not be satisfied, considering two key amendments reportedly were shot down.

Judge rules hospital can ask ISP for help in ID'ing alleged hackers

The case stems from two incidents where at least one individual is accused of accessing the hospital's network to spread "defamatory" messages to employees.

Three LulzSec members plead guilty in London

Ryan Ackroyd, 26; Jake Davis, 20; and Mustafa al-Bassam, 18, who was not named until now because of his age, all admitted their involvement in the hacktivist gang's attack spree.