Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Two popular software products used to manage critical infrastructure facilities contain a vulnerability that could allow an attacker to take control of affected systems, the US Industrial Control System Cyber Emergency Response Team (ICS-CERT) warned.
The affected products, Genesis32 and BizViz, both web-based supervisory control and data acquisition (SCADA) systems manufactured by US-based Iconics, contain a vulnerability that could be exploited by an attacker to execute arbitrary code on an affected system, ICS-CERT said. The products are used to manage manufacturing, building automation, oil, gas, water and electric facilities in the United States, Europe and Asia.Security researchers from Security-Assessment.com, a New Zealand-based penetration testing and vulnerability assessment firm, discovered the flaw – a stack overflow vulnerability affecting an ActiveX control incorporated in both products.The vulnerability is remotely exploitable, ICS-CERT said. To take advantage of the bug, an attacker would have to employ social engineering techniques to lure users into visiting a malicious site containing custom-crafted JavaScript.“By passing a specially crafted string to the ‘SetActiveXGUID' method, it is possible to overflow a static buffer and execute arbitrary code on the user's machine with the privileges of the logged on user,” Security-Assessment.com researchers Scott Bell and Blair Strang, wrote in a paper released late last month detailing the issue.The researchers included proof-of-concept code in their report.“Stack overflows are not all that hard to exploit typically, and it doesn't come as a big surprise that according to ICS-CERT, an exploit is publicly available,” Johannes Ullrich, chief research officer for the SANS Institute, wrote in a blog post .Iconics has released a patch to address the flaw for both affected products. The company also plans to address the bug with updated versions of Genesis32 and BizViz, due next month.“If you are running a power plant, a refinery or any other system using Iconics' Genesis32 and BizViz software, stop playing on Facebook for a while and please patch your plant,” Ullrich wrote.As a best practice, users should also place control system networks and devices behind firewalls and separate them from the business network, Iconics said. In addition, network exposure for control system devices should be limited.Such devices should not directly face the internet, the company said.
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.