Categories: Security

ReVuln team founds a zero-day in SCADA component

At S4x14 Conference in Miami, a researcher at of ReVuln disclosed a buffer overflow zero-day flaw in HMI software produced by Malaysian company Ecava.

During the S4x14 Conference in Miami, Luigi Auriemma of ReVuln disclosed a serious vulnerability in HMI software. The team of researchers at ReVuln discovered a buffer overflow vulnerability in the company’s IntegraXor Web-based HMI software, a software designed by the Malaysian SCADA company Ecava.

IntegraXor is a suite of management tools for HMIs, the application is mainly diffused in the US, UK, Canada, Australia, Poland and Estonia, and in other dozens of countries.

“The vulnerability is a classical stack based buffer-overflow. This SCADA product is a web server, so it opens a TCP port where it accepts HTTP requests,”  “Exploiting the attack is very trivial because it’s enough to send a long request.” Auriemma said.

An HMI (human–machine interface) software is the component in a SCADA system that presents a visual representation of processed data, of industrial control and manufacturing processes, to a human operator.The HMI component, typically a Windows-based machine, communicates directly with programmable logic controllers and provide control for monitored processes.

ReVuln team did not notify the vendor in advance of the presentation, Auriemma provided also a proof-of-concept code that allow an attacker to execute a denial of service attack to block the HMI, a circumstance that could leave the industrial process out of control.

Auriemma made an alarming revelation, he discovered, in fact, that the attacker, under certain conditions, could remotely execute malicious code.

I contacted Luigi Auriemma to ask him why ReVuln has chosen the Ecava product, below his reply:

“The vulnerability has been disclosed publicly at the S4 conference in Miami during our (ReVuln) talk as a demonstration of an undisclosed 0-day affecting an HMI/SCADA system and how to fix or limit it without a patch from the vendor.The business model of our company is to not disclose vulnerabilities publicly or to report them to vendors. The uncoordinated disclosure of this issue is interesting moreover, because Ecava has a very controversial bug bounty program in which they pay researchers with points for the licenses of the product instead of money.” said Auriemma.

The ICS-CERT in the same day of the disclosure issued an advisory, fortunately the SCADA company Ecava immediately released a patch to fix the zero-day vulnerability.

Well,  if the flaw was immediately fixed, you can ask me why to publish the news and I can reply you that:

  • Despite the company has immediately fixed the zero-day, a lot of systems could still be vulnerable. Consider that in this phase the patch management process is crucial. A patch must me tested for a specific environment before to be released, the testing period could anyway leave the system vulnerable the hackers know it and have all necessary info to exploit the flaw!
  • Reporting issues to vendors doesn’t speed up fixing, this is a great problem because contributes to enlarge windows exposure for critical systems.
  • This kind of flaw is very common, so they are very dangerous and once again raise the urgency to adopt a model of security by design for the definition if a SCADA architecture.

“By judging the vulnerabilities I disclosed in the past and those currently in the ReVuln portfolio, this type of security issues is still diffused,” “A difference with the past is that more products try to use the security features of the compilers (enabling DEP, ASLR, stack cookies and so on).”Auriemma said confirming my perception.

  • Security by design and periodic vulnerability assessment of SCADA infrastructure are fundamental activities in cyber security strategy, it is important to raise awareness of the risks to computer networks and human lives.

Let me suggest you to read the slides proposed by ReVuln at the conference and titled “Securing ICS Applications When Vendors Refuse Or Are Slow To Produce a Security Patch”  , you will find a lot of interesting stuff, it’s a must reading for security experts.

Pierluigi Paganini

(Security Affairs –  SCADA, ReVuln)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

30 mins ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

12 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

16 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

22 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.