Friday, March 23, 2012

Ecava IntegraXor ICS-CERT Advisory Published

Yesterday the DHS ICS-CERT folks published an advisory for a Path Transversal vulnerability in the IntegraXor application from Ecava. The vulnerability was reported by Billy Rios in a coordinated disclosure and he has validated the subsequent patch from Ecava.

This vulnerability would allow a moderately skilled attacker to manipulate files on the system or execute arbitrary code. A social engineering attack would be a necessary component of any such remote attack as it would require the opening of a specially crafted HTML file on the server to be successful.

It is interesting to note that the Advisory reports that:

“This vulnerability is only exploitable while using Internet Explorer due to the proprietary Active X component. No other web browsers are affected by this vulnerability[.]”

It is not clear, to me at least, if the IE Active X component that is involved in the vulnerability in the IntegraXor application would have similar effects on other similar SCADA HMI or HMI development applications. I would suspect that Billy Rios is probably looking into this issue with other systems. In fact, I would not be surprised to see similar vulnerability reports coming out of ICS-CERT in the coming weeks.

No comments:

/* Use this with templates/template-twocol.html */