ICONICS has a hot fix that covers an authentication bypass vulnerability leading to privilege escalation in its GENESIS32 and BizViz applications, specifically in the Security Configurator component, according to a report from ICS-CERT.
This vulnerability, discovered by Dr. Wesley McGrew of Mississippi State University, allows an attacker to bypass normal authentication methods, granting full administrative control over the system. Exploits that target this vulnerability are publicly available.
ICONICS said the zero-day vulnerability affects the following versions of Genesis32: Genesis32 V9.22 and previous and BizViz V9.22 and previous.
Successful exploit of this vulnerability could grant an attacker administrator privileges in the Security Configurator. This could allow the attacker to change settings in the system, including changing the rights/privileges of other users.
An attacker with moderate skill level and knowledge of the encryption algorithm used to secure the challenge response could obtain administrator privileges in the system.
ICONICS released a patch for the GENESIS32 and BizViz security files for Versions 8.05, 9.01, 9.13, and 9.22 that disable the backdoor security login. In the future, this feature will be re-implemented with a more secure encryption algorithm.
ICONICS has a website that provides information and links related to its security updates for this and other patches.