U.S. Flag Official website of the Department of Homeland Security
U.S. Department of Homeland Security Seal. ICS-CERT. Industrial Control Systems Cyber Emergency Response Team.
TLP:WHITE

Advisory (ICSA-11-126-01)

7-Technologies IGSS Vulnerabilities

Original release date: May 06, 2011 | Last revised: September 06, 2018

Legal Notice

All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.



Overview

This advisory is a follow-up to ICS-ALERT-11-080-03 7-Technologies IGSS Vulnerabilities, published on the ICS-CERT Web site on March 20, 2011.

An independent researcher has identified eight vulnerabilities in 7-Technologies (7T) IGSS SCADA human-machine interface (HMI) application. Each of the identified vulnerabilities includes proof-ofconcept (PoC) exploit code. The researcher identified the following vulnerability types:

  • Stack-based buffer overflows
  • Path traversal
  • String formatting
  • Local arbitrary code execution (dc.exe).

Seven of these vulnerabilities occur in IGSSdataServer service on Port 12401/TCP. The eighth vulnerability is identified in the Data Collection application (dc.exe) on Port 12397/TCP. Both vulnerable services run as part of the IGSS application suite. The IGSS Data Server is responsible for data transmission between the IGSS server and the operator stations. All vulnerabilities are remotely exploitable and can allow denial of service, path traversal, and arbitrary code execution.

After these original eight vulnerabilities were identified, Joel Langill of SCADAhackera discovered and coordinated with ICS-CERT a ninth vulnerability. This new vulnerability is directly leveraged off one of the original vulnerabilities, specifically local arbitrary code execution affecting the Data Collection application (dc.exe) on Port 12397/TCP. An attacker could exploit this additional vulnerability to conduct simultaneous directory traversal and arbitrary programs execution on the host machine.

7T has developed a patch that resolves the reported vulnerabilities. ICS-CERT has validated the patch.

Affected Products

The vulnerabilities affect 7T IGSS SCADA HMI prior to Version 9.0.0.11083.

Impact

Successful exploitation of the reported vulnerabilities can allow an attacker to perform a number of malicious actions including denial of service, path traversal, and arbitrary code execution. These actions can result in adverse application conditions and ultimately impact the production environment on which the SCADA system is used.

Background

7T, based in Denmark, creates monitoring and control systems that are primarily used in the United States, Europe, and South Asia. According to the 7T website, IGSS has been deployed in over 28,000 industrial plants in 50 countries worldwide.

7T IGSS HMI is used to control and monitor programmable logic controllers in industrial processes across multiple sectors including energy, manufacturing, oil and gas, and water.

Vulnerability Characterization

Stack-Based Buffer Overflow Vulnerability Overview

Five of the reported vulnerabilities are categorized as stack-based buffer overflows.b Each of these five vulnerabilities occurs in the IGSSdataServer service on Port 12401/TCP. These stack-based buffer overflow vulnerabilities can be exploited by sending specially crafted code to the vulnerable IGSSdataServer service on Port 12401/TCP.

Stack-Based Buffer Overflow Vulnerability Details

Exploitability

The five stack-based buffer overflow vulnerabilities reported can be remotely exploited by sending specially crafted code to the vulnerable IGSSdataServer service. If exploited, these vulnerabilities could allow the attacker to execute a malicious payload.

Existence of Exploit

Exploit code is publicly available for each of the vulnerabilities.

Difficulty

These vulnerabilities require moderate skills to exploit.

Path Traversal Vulnerability Overview

The sixth reported vulnerability, a path traversalc vulnerability, allows an attacker to perform a path traversal that exposes the file system structure and potentially allows an attacker to download or upload files without authorization.

Path Traversal Vulnerability Details

Exploitability

This vulnerability is remotely exploitable by sending specially crafted code to the IGSSdataServer service.

Existence of Exploit

Exploit code is publicly available for each of the vulnerabilities.

Difficulty

This vulnerability requires moderate skills to exploit.

String Format Vulnerability Overview

The seventh reported vulnerability involves a string formatd that occurs in the IGSSdataServer service on Port 12401/TCP. This vulnerability can be exploited by sending specially crafted code to the vulnerable IGSSdataServer service on Port 12401/TCP.

String Format Vulnerability Details

Exploitability

This vulnerability is remotely exploitable by sending specially crafted code to the IGSSdataServer service. If exploited, these vulnerabilities could allow the attacker to execute a malicious payload.

Existence of Exploit

Exploit code is publicly available for each of the vulnerabilities.

Difficulty

This vulnerability requires moderate skills to exploit.

Code Execution Vulnerability Overview

The eighth reported vulnerability, code-execution, affects the dc.exe service on Port 12397/TCP. This vulnerability results from the application failing to provide protection mechanisms for executing such code. This vulnerability could allow an attacker to remotely execute a malicious payload.

Joel Langill was able to leverage this vulnerability to identify the ninth vulnerability, another directory traversal situation.

Code Execution Vulnerability Details

Exploitability

This vulnerability is remotely exploitable by sending specially crafted code to the dc.exe service.

Existence of Exploit

Exploit code is publicly available for each of the vulnerabilities.

Difficulty

This vulnerability requires moderate skills to exploit.

Mitigation

ICS-CERT recommends that customers of 7T IGSS software take the following mitigation steps:

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking
defensive measures.

The Control Systems Security Program (CSSP) also provides a section for control system security recommended practices on the CSSP page of the US-CERT website. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.


Contact Information

For any questions related to this report, please contact the NCCIC at:

Email: NCCICCUSTOMERSERVICE@hq.dhs.gov
Toll Free: 1-888-282-0870

For industrial control systems cybersecurity information:  http://ics-cert.us-cert.gov 
or incident reporting:  https://ics-cert.us-cert.gov/Report-Incident?

The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top