Yesterday the DHS ICS-CERT folks published an advisory for a Path Transversal vulnerability in the IntegraXor application from Ecava. The vulnerability was reported by Billy Rios in a coordinated disclosure and he has validated the subsequent patch from Ecava.
This vulnerability would allow a moderately skilled attacker to manipulate files on the system or execute arbitrary code. A social engineering attack would be a necessary component of any such remote attack as it would require the opening of a specially crafted HTML file on the server to be successful.
It is interesting to note that the Advisory reports that:
“This vulnerability is only exploitable while using Internet Explorer due to the proprietary Active X component. No other web browsers are affected by this vulnerability[.]”
It is not clear, to me at least, if the IE Active X component that is involved in the vulnerability in the IntegraXor application would have similar effects on other similar SCADA HMI or HMI development applications. I would suspect that Billy Rios is probably looking into this issue with other systems. In fact, I would not be surprised to see similar vulnerability reports coming out of ICS-CERT in the coming weeks.