Malaysian SCADA software company Ecava released a patch yesterday for a zero-day vulnerability in its flagship human machine interface (HMI) that was publicly disclosed at a conference this week.
The patch repairs a buffer overflow vulnerability in the company’s IntegraXor Web-based HMI software. HMI software provides a visualization of industrial control and manufacturing processes. These interfaces communicate with programmable logic controllers and manage processes from a central interface, usually a Windows-based system. Those processes can include turning pumps on and off, or temperature control and much more.
The disclosure of the zero day by Luigi Auriemma of ReVuln on Wednesday at the S4x14 Conference in Miami led to an advisory being issued by ICS-CERT the same day. Ecava said it had a patch ready the same day it was notified by ICS-CERT. Auriemma told Threatpost today that ReVuln has tested the patch and it does mitigate his attack.
“The vulnerability is a classical stack based buffer-overflow. This SCADA product is a web server, so it opens a TCP port where it accepts HTTP requests,” Auriemma said. “Exploiting the attack is very trivial because it’s enough to send a long request.”
ICS-CERT said Auriemma did not notify the vendor in advance of his presentation, which included proof-of-concept code that causes a denial of service condition leading to a crash of the HMI. Auriemma said during his presentation that under certain conditions, an attacker could also gain the ability to remotely run code. Ecava said releases before build 4390 are vulnerable; the ICS-CERT advisory identified version 4.1.4380 as vulnerable.
“By judging the vulnerabilities I disclosed in the past and those currently in the ReVuln portfolio, this type of security issues is still diffused,” Auriemma said. “A difference with the past is that more products try to use the security features of the compilers (enabling DEP, ASLR, stack cookies and so on).”
IntegraXor is a suite of management tools for HMIs. The software is used in 38 countries, primarily in the United States, U.K., Canada, Australia, Poland and Estonia.
Ecava this summer announced a bug bounty program that was seen as controversial by security researchers. Rather than cash as an incentive for reporting vulnerabilities, the company offered points toward a discount on its software licenses.
The security model for SCADA and industrial control systems has been scrutinized for years with researchers desperately trying to raise awareness to the risks to not only computers systems but human lives. While operators may be aware of the security vulnerabilities present in these often antiquated systems, patching them is rarely a simple proposition. There are instances, for example, where critical processes must be taken offline to install software updates, and downtime competes mightily with internal service level agreements.
Two years ago at the Kaspersky Lab Security Analyst Summit, researchers Billy Rios and Terry McCorkle presented on a project where they set a goal of finding 100 SCADA and ICS bugs in 100 days. Instead, they quickly exceeded their goal and at the time of their presentation, they’d found more than 1,000 bugs in nine months, close to 100 percent of which were exploitable. The researchers said the state of SCADA security was laughable then.