During the S4x14 Conference in Miami, Luigi Auriemma of ReVuln disclosed a serious vulnerability in HMI software. The team of researchers at ReVuln discovered a buffer overflow vulnerability in the company’s IntegraXor Web-based HMI software, a software designed by the Malaysian SCADA company Ecava.
IntegraXor is a suite of management tools for HMIs, the application is mainly diffused in the US, UK, Canada, Australia, Poland and Estonia, and in other dozens of countries.
“The vulnerability is a classical stack based buffer-overflow. This SCADA product is a web server, so it opens a TCP port where it accepts HTTP requests,” “Exploiting the attack is very trivial because it’s enough to send a long request.” Auriemma said.
An HMI (human–machine interface) software is the component in a SCADA system that presents a visual representation of processed data, of industrial control and manufacturing processes, to a human operator.The HMI component, typically a Windows-based machine, communicates directly with programmable logic controllers and provide control for monitored processes.
ReVuln team did not notify the vendor in advance of the presentation, Auriemma provided also a proof-of-concept code that allow an attacker to execute a denial of service attack to block the HMI, a circumstance that could leave the industrial process out of control.
Auriemma made an alarming revelation, he discovered, in fact, that the attacker, under certain conditions, could remotely execute malicious code.
I contacted Luigi Auriemma to ask him why ReVuln has chosen the Ecava product, below his reply:
“The vulnerability has been disclosed publicly at the S4 conference in Miami during our (ReVuln) talk as a demonstration of an undisclosed 0-day affecting an HMI/SCADA system and how to fix or limit it without a patch from the vendor.The business model of our company is to not disclose vulnerabilities publicly or to report them to vendors. The uncoordinated disclosure of this issue is interesting moreover, because Ecava has a very controversial bug bounty program in which they pay researchers with points for the licenses of the product instead of money.” said Auriemma.
The ICS-CERT in the same day of the disclosure issued an advisory, fortunately the SCADA company Ecava immediately released a patch to fix the zero-day vulnerability.
Well, if the flaw was immediately fixed, you can ask me why to publish the news and I can reply you that:
“By judging the vulnerabilities I disclosed in the past and those currently in the ReVuln portfolio, this type of security issues is still diffused,” “A difference with the past is that more products try to use the security features of the compilers (enabling DEP, ASLR, stack cookies and so on).”Auriemma said confirming my perception.
Let me suggest you to read the slides proposed by ReVuln at the conference and titled “Securing ICS Applications When Vendors Refuse Or Are Slow To Produce a Security Patch” , you will find a lot of interesting stuff, it’s a must reading for security experts.
(Security Affairs – SCADA, ReVuln)