A division of the U.S. Computer Emergency Readiness Team advised critical infrastructure organizations to repair a critical ActiveX flaw that is enabling hackers to execute malicious attacks on supervisory control and data acquisition systems and take complete control of their facilities.
The vulnerability exists in the Iconics Genesis 32 and BizViz products, versions 9 through 9.21, which open the door for attackers to launch malicious attacks remotely on facilities that use SCADA systems, according to an advisory issued by the Industrial Control Systems CERT, a division of the U.S. CERT, on Wednesday.
A cyber attack exploiting the ActiveX vulnerability is already loose in the wild, the U.S. CERT warned.
Facilities for critical infrastructure such as nuclear power, building automation, oil and gas, water, electric, wastewater and other manufacturing plants rely on Genesis32 and BizViz, both Web-based HMI SCADA systems, to control operations and run equipment.
The vulnerability stems from a stack-overflow vulnerability in an ActiveX control, GenVersion.dll, incorporated in both Genesis32 and BizViz products, which are particularly susceptible to these kinds of flaws, according to SANS Institute researchers.
"ActiveX controls are vulnerable to a good old stack overflow. Stack overflows are not all that hard to exploit typically, and it doesn't come as a big surprise that according to ICS-CERT, an exploit is publicly available," said Johannes B. Ullrich, SANS Institute researcher, in a blog post.
"Actual impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact to this vulnerability based on their environment, architecture and product implementation," according to the ISC-CERT advisory.
Thus far, Iconics has released a patch fully resolving the ActiveX vulnerability, and will address the flaw in the next version 9.22 update of Genesis 32 and BizViz.
Until then, the ICS-CERT encourages users to minimize network exposure for all control system devices.
"Critical devices should not directly face the Internet. Locate control system networks and remote devices behind firewalls and isolate them from the business network. When remote access is required, use secure methods such as Virtual Private Networks."
Meanwhile, security experts recommend that users apply the patch as soon as possible.
"If you are running a power plant, a refinery or any other system using Iconics' Genesis 32 and BizViz software, stop playing on Facebook for a while and please patch your plant," Ullrich said.