The U.S. Department of Homeland Security issued a bulletin on Thursday warning readers about a previously undisclosed, critical vulnerability in Movicon 11, a product used to manage critical infrastructure including the manufacturing, energy and water sectors.
DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) posted an advisory on May 10 that warned customers of Progea Srl that a memory corruption vulnerability in the Movicon Human Machine Interface (HMI) software could allow a remote attacker to knock Movicon devices offline using a specially crafted HTTP POST request sent to the Movicon OPC server component. Progea has issued a fix for the problem, which affects Movicon devices running Versions of the Movicon software up to and including version 11.3, ICS-CERT said in its advisory.
The vulnerability was discovered and reported by Dillon Beresford, a SCADA and ICS researcher who works for IXIA. If left unpatched, the vulnerability would allow a remote attacker to force the Movicon server to read in invalid memory address, crashing the device. However, the vulnerability of actual devices deployed in the field will depend on environmental factors at each customer site. ICS-CERT urged Progea customers to assess their vulnerability to attack.
Beresford made headlines repeatedly in the last year for revealing software vulnerabilities and poor security practices in SCADA products, including programmable logic controllers by Siemens. More recently, independent researcher Justin Clarke revealed the existence of a hard coded back door in switching device by RuggedCom, which are commonly used by critical infrastructure providers.
Presented with a growing number of reports affecting ICS and SCADA devices, DHS has contemplated tightening the designation of a “vulnerability” to exclude a wide range of so-called “forever day” holes – security holes that are rooted in insecure design decisions by manufacturers.