New SCADA Bug Used In Cyber Attacks, U.S. CERT Warns

The vulnerability exists in the Iconics Genesis 32 and BizViz products, versions 9 through 9.21, which open the door for attackers to launch malicious attacks remotely on facilities that use SCADA systems, according to an advisory issued by the Industrial Control Systems CERT, a division of the U.S. CERT, on Wednesday.

A cyber attack exploiting the ActiveX vulnerability is already loose in the wild, the U.S. CERT warned.

Facilities for critical infrastructure such as nuclear power, building automation, oil and gas, water, electric, wastewater and other manufacturing plants rely on Genesis32 and BizViz, both Web-based HMI SCADA systems, to control operations and run equipment.

The vulnerability stems from a stack-overflow vulnerability in an ActiveX control, GenVersion.dll, incorporated in both Genesis32 and BizViz products, which are particularly susceptible to these kinds of flaws, according to SANS Institute researchers.

"ActiveX controls are vulnerable to a good old stack overflow. Stack overflows are not all that hard to exploit typically, and it doesn't come as a big surprise that according to ICS-CERT, an exploit is publicly available," said Johannes B. Ullrich, SANS Institute researcher, in a blog post.

In a successful exploit scenario, attackers would have to entice users with a GenVersion.dll ActiveX control installed on their system to visit a malicious Web page containing infected JavaScript, typically through some kind of phishing scam or social engineering scheme. A specially crafted string sent to the "SetActiveXGUID" method would effectively trigger a static buffer overflow once the user opened the malicious site, enabling the attacker to gain the same privileges as the logged on user.

"Actual impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact to this vulnerability based on their environment, architecture and product implementation," according to the ISC-CERT advisory.

Thus far, Iconics has released a patch fully resolving the ActiveX vulnerability, and will address the flaw in the next version 9.22 update of Genesis 32 and BizViz.

Until then, the ICS-CERT encourages users to minimize network exposure for all control system devices.

"Critical devices should not directly face the Internet. Locate control system networks and remote devices behind firewalls and isolate them from the business network. When remote access is required, use secure methods such as Virtual Private Networks."

Meanwhile, security experts recommend that users apply the patch as soon as possible.

"If you are running a power plant, a refinery or any other system using Iconics' Genesis 32 and BizViz software, stop playing on Facebook for a while and please patch your plant," Ullrich said.