Critical Infrastructure Security, Malware, Vulnerability Management

Industrial control systems at risk, ICS-CERT warns

Two popular software products used to manage critical infrastructure facilities contain a vulnerability that could allow an attacker to take control of affected systems, the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned Wednesday.

The affected products, Genesis32 and BizViz, both web-based supervisory control and data acquisition (SCADA) systems manufactured by U.S.-based Iconics, contain a vulnerability that could be exploited by an attacker to execute arbitrary code on an affected system, ICS-CERT said. The products are used to manage manufacturing, building automation, oil, gas, water and electric facilities in the United States, Europe and Asia.

Security researchers from Security-Assessment.com, a New Zealand-based penetration testing and vulnerability assessment firm, discovered the flaw – a stack overflow vulnerability affecting an ActiveX control incorporated in both products.

The vulnerability is remotely exploitable, ICS-CERT said. To take advantage of the bug, an attacker would have to employ social engineering techniques to lure users into visiting a malicious site containing custom-crafted JavaScript.

“By passing a specially crafted string to the ‘SetActiveXGUID' method, it is possible to overflow a static buffer and execute arbitrary code on the user's machine with the privileges of the logged on user,” Security-Assessment.com researchers Scott Bell and Blair Strang, wrote in a paper released late last month detailing the issue.

The researchers included proof-of-concept code in their report.

“...stop playing on Facebook for a while and please patch your plant.”

– Johannes Ullrich, chief research officer for the SANS Institute

“Stack overflows are not all that hard to exploit typically, and it doesn't come as a big surprise that according to ICS-CERT, an exploit is publicly available,” Johannes Ullrich, chief research officer for the SANS Institute, wrote in a blog post Thursday.

Iconics has released a patch to address the flaw for both affected products. The company also plans to address the bug with updated versions of Genesis32 and BizViz, due next month.

“If you are running a power plant, a refinery or any other system using Iconics' Genesis32 and BizViz software, stop playing on Facebook for a while and please patch your plant,” Ullrich wrote.

As a best practice, users should also place control system networks and devices behind firewalls and separate them from the business network, Iconics said. In addition, network exposure for control system devices should be limited.

Such devices should not directly face the internet, the company said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.