ReVuln team founds a zero-day in SCADA component

Pierluigi Paganini January 18, 2014

At S4x14 Conference in Miami, a researcher at of ReVuln disclosed a buffer overflow zero-day flaw in HMI software produced by Malaysian company Ecava.

During the S4x14 Conference in Miami, Luigi Auriemma of ReVuln disclosed a serious vulnerability in HMI software. The team of researchers at ReVuln discovered a buffer overflow vulnerability in the company’s IntegraXor Web-based HMI software, a software designed by the Malaysian SCADA company Ecava.

IntegraXor is a suite of management tools for HMIs, the application is mainly diffused in the US, UK, Canada, Australia, Poland and Estonia, and in other dozens of countries.

“The vulnerability is a classical stack based buffer-overflow. This SCADA product is a web server, so it opens a TCP port where it accepts HTTP requests,”  “Exploiting the attack is very trivial because it’s enough to send a long request.” Auriemma said.

An HMI (human–machine interface) software is the component in a SCADA system that presents a visual representation of processed data, of industrial control and manufacturing processes, to a human operator.The HMI component, typically a Windows-based machine, communicates directly with programmable logic controllers and provide control for monitored processes.

ReVuln team did not notify the vendor in advance of the presentation, Auriemma provided also a proof-of-concept code that allow an attacker to execute a denial of service attack to block the HMI, a circumstance that could leave the industrial process out of control.

ReVuln SCADA attack

Auriemma made an alarming revelation, he discovered, in fact, that the attacker, under certain conditions, could remotely execute malicious code.

I contacted Luigi Auriemma to ask him why ReVuln has chosen the Ecava product, below his reply:

“The vulnerability has been disclosed publicly at the S4 conference in Miami during our (ReVuln) talk as a demonstration of an undisclosed 0-day affecting an HMI/SCADA system and how to fix or limit it without a patch from the vendor.The business model of our company is to not disclose vulnerabilities publicly or to report them to vendors. The uncoordinated disclosure of this issue is interesting moreover, because Ecava has a very controversial bug bounty program in which they pay researchers with points for the licenses of the product instead of money.” said Auriemma.

The ICS-CERT in the same day of the disclosure issued an advisory, fortunately the SCADA company Ecava immediately released a patch to fix the zero-day vulnerability.

Well,  if the flaw was immediately fixed, you can ask me why to publish the news and I can reply you that:

  • Despite the company has immediately fixed the zero-day, a lot of systems could still be vulnerable. Consider that in this phase the patch management process is crucial. A patch must me tested for a specific environment before to be released, the testing period could anyway leave the system vulnerable the hackers know it and have all necessary info to exploit the flaw!
  • Reporting issues to vendors doesn’t speed up fixing, this is a great problem because contributes to enlarge windows exposure for critical systems.
  • This kind of flaw is very common, so they are very dangerous and once again raise the urgency to adopt a model of security by design for the definition if a SCADA architecture.

“By judging the vulnerabilities I disclosed in the past and those currently in the ReVuln portfolio, this type of security issues is still diffused,” “A difference with the past is that more products try to use the security features of the compilers (enabling DEP, ASLR, stack cookies and so on).”Auriemma said confirming my perception.

  • Security by design and periodic vulnerability assessment of SCADA infrastructure are fundamental activities in cyber security strategy, it is important to raise awareness of the risks to computer networks and human lives.

Let me suggest you to read the slides proposed by ReVuln at the conference and titled “Securing ICS Applications When Vendors Refuse Or Are Slow To Produce a Security Patch”  , you will find a lot of interesting stuff, it’s a must reading for security experts.

Pierluigi Paganini

(Security Affairs –  SCADA, ReVuln)

you might also like

leave a comment