This afternoon the DHS ICS-CERT published an advisory for an ActiveX vulnerability in Canary Labs TrendLink [NOTE: ICS-CERT ‘misspells’ TrendLink with a space]. The vulnerability was reported by Kuang-Chun Hung of Security Research and Service Institute−Information and Communication Security Technology Center (ICST).
The advisory notes that a moderately skilled attacker could remotely exploit this vulnerability to conduct a DoS attacker or perhaps execute arbitrary code. Canary Labs has produced an updated version of Trend Link that Huang-Chun has confirmed mitigates the identified vulnerability. The update is available from Product Support.
The TrendLink web page notes that:
“TrendLink can also be used as an ActiveX control that can be embedded in other programs. For example, TrendLink can be embedded into Human Machine Interfaces (HMI) and Internet applications.”
This means that this is another one of those product vulnerabilities that might affect users that don’t realize that they utilize TrendLink. It would be nice if there were some easy way for operators to identify if their control system includes vulnerable subsystems like TrendLink.