ICONICS created a patch that fixes a vulnerability in its GENESIS32 application during resolution of unrelated products, according to a report on ICS-CERT.
ICONICS GENESIS32 Version 9.0 and newer are not vulnerable to this ActiveX vulnerability. Attackers could exploit this vulnerability remotely, but it would require user interaction.
The following ICONICS product suffer from the issue: GENESIS32 versions 8.0, 8.02, 8.04, and 8.05.
An attacker can craft a web page script that uses the insecure ActiveX control to launch any arbitrary executable code. Social engineering would need to occur to get a user to visit the attacker’s web page to launch the script.
The versions of GENESIS32 are vulnerable to this exploit because ActiveX installation is by default whether or not it sees use.
Foxborough, MA-based ICONICS has offices in the United Kingdom, Netherlands, Italy, India, Germany, France, Czech Republic, China and the Asia/Australia/Pacific Rim.
ICONICS GENESIS32 sees use across several sectors including commercial facilities, energy, food and agriculture, healthcare and public health, and water and wastewater systems.
The insecure ActiveX control ends up used by the GenLaunch.htm file, which launches the GENESIS32 applications.
CVE-2014-0758 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.
Exploits that target this vulnerability are not publicly available. An attacker with a moderate skill would be able to exploit this vulnerability.
ICONICS provides information and useful links related to its security patches at its web site.
ICONICS also recommends users of GENESIS32 V8 systems take the following mitigation steps:
• Use a firewall, place control system networks and devices behind firewalls and isolate them from the business network.
• Do not click web links or open unsolicited attachments in email messages.
• Install the patch.
The ICONICS web site also provides a downloadable Whitepaper on Security Vulnerabilities (registration required for download). The Whitepaper on Security Vulnerabilities contains overview, details and mitigation plan for regarding buffer overflow and memory corruption vulnerabilities for ICONICS GENESIS32 and GENESIS64 Supervisory Control and Data Acquisition (SCADA) products.