Saturday, March 16, 2019
Home / Security / Exploits / Scada Zero Day released at S4 Conference

Scada Zero Day released at S4 Conference

Malaysian SCADA computer software organization Ecava published a patch yesterday for a zero-day vulnerability in its flagship human machine interface (HMI) which was publicly disclosed at a conference this week.

The patch repairs a buffer overflow vulnerability within the company’s IntegraXor Web-based HMI software. HMI application supplies a visualization of commercial control and manufacturing processes. These interfaces contact programmable logic controllers and handle operations coming from a central interface, often a Windows-based system. Those processes may include turning pumps on and off, temperature control and much more.

The release of the zero day by Luigi Auriemma of ReVuln on Wednesday at the S4x14 Conference in Miami resulted in an advisory from ICS-CERT within 24 hours. Ecava stated it has a patch ready the same day that it was notified by ICS-CERT. Auriemma stated today that ReVuln has analyzed the patch and it does indeed mitigate his attack.

“The vulnerability is a classical stack based buffer-overflow. This SCADA product is a web server, so it opens a TCP port where it accepts HTTP requests,” Auriemma said. “Exploiting the attack is very trivial because it’s enough to send a long request.”

Auriemma mentioned during his presentation that under certain conditions, an attacker could also gain the ability to remotely run code. Ecava said releases before build 4390 are vulnerable; the ICS-CERT advisory identified version 4.1.4380 as vulnerable.

“By judging the vulnerabilities I disclosed in the past and those currently in the ReVuln portfolio, this type of security issues is still diffused,” Auriemma said. “A difference with the past is that more products try to use the security features of the compilers (enabling DEP, ASLR, stack cookies and so on).”

IntegraXor is a collection of administration resources for HMIs. The application is utilized in 38 countries, mainly in America, U.K., Canada, Australia, Poland and Estonia.

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

Amazon hacked – hacker leaks 80,000 login credentials

A hacker going by the name 0x2Taylor has said to have breached the servers of …