The U.S.’s Computer Emergency Response Team (CERT) issued a warning to critical infrastructure firms on Wednesday about a serious security hole in products from Massachusetts firm Iconics that could leave critical systems vulnerable to remote attacks.
U.S. companies in the electricity, oil and gas, manufacturing and water treatment sectors have been warned about a flaw in an ActiveX control used in two products by Massachusetts-based Iconics. The software, Genesis32 and BizViz are Human-Machine Interface (HMI) products that provide a graphical user interface to various types of industrial control systems. The software can control industrial systems used for a variety of purposes including manufacturing, building automation, oil and gas, water and waste water treatment, among other applications.
ICONICS, based in Foxboro, Massachusetts, has offices around the world and counts firms such as the Pentagon, Transneft, SAP and the City of Beijing, China as customers. The vulnerability is in a dynamic link library (DLL) file, GenVersion.dll, which is a common component of WebHMI, which provides a browser-based interface for the GENESIS32 software’s graphics, trending and alarming applications, according to information on the Iconics Web site.The company did not immediately respond to e-mail and phone call requests for comment.
CERT, in an advisory (PDF) sent to the Industrial Control System CERT (ICS CERT) mailing list, said that, if successfully exploited, the WebHMI vulnerability can allow malicious code to run with the privileges of the current user. Attackers could use JavaScript hosted on an attack Web page to send a specially crafted string to a the WebHMI software, causing a buffer overflow that would allow the attacker to run code with the same privileges as the current user.
The impact to specific customers depends on how the Iconics software is deployed. Iconics has issued an emergency patch to fix the issue with WebHMI and will be rolling a permanent fix into pending updates to the GENESIS32 and BizVis software, the company said. Customers should take precautions to protect their software installations, including using a firewall, restricting remote access to systems running the HMI software and cordoning off control system devices from the public Internet, ICONICS said.
Security problems stemming from HMI software are nothing new. In January, security researcher Dillon Beresford reported a critical hole in HMI software from the Beijing-based firm Wellintech.