The affected products, Genesis32 and BizViz, both web-based supervisory control and data acquisition (SCADA) systems manufactured by U.S.-based Iconics, contain a vulnerability that could be exploited by an attacker to execute arbitrary code on an affected system, ICS-CERT said. The products are used to manage manufacturing, building automation, oil, gas, water and electric facilities in the United States, Europe and Asia.
Security researchers from Security-Assessment.com, a New Zealand-based penetration testing and vulnerability assessment firm, discovered the flaw – a stack overflow vulnerability affecting an ActiveX control incorporated in both products.
“By passing a specially crafted string to the ‘SetActiveXGUID' method, it is possible to overflow a static buffer and execute arbitrary code on the user's machine with the privileges of the logged on user,” Security-Assessment.com researchers Scott Bell and Blair Strang, wrote in a paper released late last month detailing the issue.
The researchers included proof-of-concept code in their report.
“...stop playing on Facebook for a while and please patch your plant.”
– Johannes Ullrich, chief research officer for the SANS Institute
“Stack overflows are not all that hard to exploit typically, and it doesn't come as a big surprise that according to ICS-CERT, an exploit is publicly available,” Johannes Ullrich, chief research officer for the SANS Institute, wrote in a blog post Thursday.
Iconics has released a patch to address the flaw for both affected products. The company also plans to address the bug with updated versions of Genesis32 and BizViz, due next month.
“If you are running a power plant, a refinery or any other system using Iconics' Genesis32 and BizViz software, stop playing on Facebook for a while and please patch your plant,” Ullrich wrote.
As a best practice, users should also place control system networks and devices behind firewalls and separate them from the business network, Iconics said. In addition, network exposure for control system devices should be limited.
Such devices should not directly face the internet, the company said.