Categories: Security

ReVuln team founds a zero-day in SCADA component

At S4x14 Conference in Miami, a researcher at of ReVuln disclosed a buffer overflow zero-day flaw in HMI software produced by Malaysian company Ecava.

During the S4x14 Conference in Miami, Luigi Auriemma of ReVuln disclosed a serious vulnerability in HMI software. The team of researchers at ReVuln discovered a buffer overflow vulnerability in the company’s IntegraXor Web-based HMI software, a software designed by the Malaysian SCADA company Ecava.

IntegraXor is a suite of management tools for HMIs, the application is mainly diffused in the US, UK, Canada, Australia, Poland and Estonia, and in other dozens of countries.

“The vulnerability is a classical stack based buffer-overflow. This SCADA product is a web server, so it opens a TCP port where it accepts HTTP requests,”  “Exploiting the attack is very trivial because it’s enough to send a long request.” Auriemma said.

An HMI (human–machine interface) software is the component in a SCADA system that presents a visual representation of processed data, of industrial control and manufacturing processes, to a human operator.The HMI component, typically a Windows-based machine, communicates directly with programmable logic controllers and provide control for monitored processes.

ReVuln team did not notify the vendor in advance of the presentation, Auriemma provided also a proof-of-concept code that allow an attacker to execute a denial of service attack to block the HMI, a circumstance that could leave the industrial process out of control.

Auriemma made an alarming revelation, he discovered, in fact, that the attacker, under certain conditions, could remotely execute malicious code.

I contacted Luigi Auriemma to ask him why ReVuln has chosen the Ecava product, below his reply:

“The vulnerability has been disclosed publicly at the S4 conference in Miami during our (ReVuln) talk as a demonstration of an undisclosed 0-day affecting an HMI/SCADA system and how to fix or limit it without a patch from the vendor.The business model of our company is to not disclose vulnerabilities publicly or to report them to vendors. The uncoordinated disclosure of this issue is interesting moreover, because Ecava has a very controversial bug bounty program in which they pay researchers with points for the licenses of the product instead of money.” said Auriemma.

The ICS-CERT in the same day of the disclosure issued an advisory, fortunately the SCADA company Ecava immediately released a patch to fix the zero-day vulnerability.

Well,  if the flaw was immediately fixed, you can ask me why to publish the news and I can reply you that:

  • Despite the company has immediately fixed the zero-day, a lot of systems could still be vulnerable. Consider that in this phase the patch management process is crucial. A patch must me tested for a specific environment before to be released, the testing period could anyway leave the system vulnerable the hackers know it and have all necessary info to exploit the flaw!
  • Reporting issues to vendors doesn’t speed up fixing, this is a great problem because contributes to enlarge windows exposure for critical systems.
  • This kind of flaw is very common, so they are very dangerous and once again raise the urgency to adopt a model of security by design for the definition if a SCADA architecture.

“By judging the vulnerabilities I disclosed in the past and those currently in the ReVuln portfolio, this type of security issues is still diffused,” “A difference with the past is that more products try to use the security features of the compilers (enabling DEP, ASLR, stack cookies and so on).”Auriemma said confirming my perception.

  • Security by design and periodic vulnerability assessment of SCADA infrastructure are fundamental activities in cyber security strategy, it is important to raise awareness of the risks to computer networks and human lives.

Let me suggest you to read the slides proposed by ReVuln at the conference and titled “Securing ICS Applications When Vendors Refuse Or Are Slow To Produce a Security Patch”  , you will find a lot of interesting stuff, it’s a must reading for security experts.

Pierluigi Paganini

(Security Affairs –  SCADA, ReVuln)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

A US soldier was arrested for leaking presidential call logs

US authorities have arrested soldier Cameron John Wagenius for his alleged involvement in leaking presidential…

3 hours ago

DoubleClickjacking allows clickjacking on major websites

The "DoubleClickjacking" exploit bypasses protections on major websites, using a double-click sequence for clickjacking and…

7 hours ago

Russian media outlets Telegram channels blocked in European countries

Telegram restricted access to Russian state-owned news channels in several European countries, including Poland, France,…

11 hours ago

Three Russian-German nationals charged with suspicion of secret service agent activity

German authorities have charged three Russian-German nationals with suspicion of, among other things, secret service agent activity…

14 hours ago

Lumen reports that it has locked out the Salt Typhoon group from its network

Lumen reports that the Salt Typhoon hacking group, which targeted at least nine U.S. telecom…

16 hours ago

Proposed updates to HIPAA Security Rule mandate to restore the loss of certain relevant electronic information systems and data within 72 hours

HHS OCR proposed updates to the HIPAA Security Rule to boost cybersecurity for electronic protected…

1 day ago

This website uses cookies.