ICONICS GENESIS32 Multiple Memory Corruption
All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.
Independent security researchers Billy Rios and Terry McCorkle have identified eight memory corruption vulnerabilities affecting the ICONICS GENESIS32 product. GENESIS32 is a web-deployable human-machine interface (HMI) supervisory control and data acquisition (SCADA) product. These vulnerabilities affect ScriptWorX32, GraphWorX32, and the AlarmWorX32 and TrendWorX32 containers that run as part of the GENESIS32 application.
ICONICS has validated the reported vulnerabilities and has produced patches that address them. ICS-CERT has validated each of the patches and has confirmed that they resolve these vulnerabilities.
According to ICONICS, the following versions of GENESIS32 are affected:
- GENESIS32 V8.05, V9.0, V9.1, and V9.2—ScriptWorX32, AlarmWorX32 and TrendWorX32 containers
- GENESIS32 V9.2—GraphWorX32
Successful exploitation of these vulnerabilities results in an application crash and can allow arbitrary code execution.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their environment, architecture, and product implementation.
ICONICS is a US-based company that maintains offices in several countries around the world, including the US, UK, Netherlands, Italy, India, Germany, France, Czech Republic, China, and Australia.
The affected product, GENESIS32, is a web-deployable HMI SCADA system. According to ICONICS, GENESIS32 is used primarily in the United States and Europe, with a small percentage in Asia, and is deployed across several industries including manufacturing, building automation, oil and gas, water and wastewater, electric utilities, and others.
A total of eight memory corruption vulnerabilities were reported by the researchers. These vulnerabilities affect the ScriptWorX32, GraphWorX32, AlarmWorX32, and TrendWorX32 containers that run as part of the GENESIS32 application. These vulnerabilities can be exploited using specially crafted files that, once opened, result in a crash in the application and possible arbitrary code execution.
These vulnerabilities are remotely exploitable. Social engineering can be used in order to convince a user to open the specially crafted file containing an exploit for this vulnerability.
Existence of Exploit
No known exploits specifically target this vulnerability.
An attacker with a low skill level can create a working exploit for this vulnerability. Moderate skill is needed in order to execute arbitrary code.
ICONICS has released patches for each of the vulnerabilities affecting the GENESIS32 application. This patch and an updated ICONICS Whitepaper on Security Vulnerabilities are available on the ICONICS CERT website: http://www.iconics.com/certs.
Users of the GENESIS32 who wish to apply this patch can refer to the ICONICS patch that matches the version of the software they are running. ICONICS has placed a Readme file in their patch download that offers instructions on how to apply the patch. If additional support is required, users can contact ICONICS for support by e-mailing firstname.lastname@example.org.
ICS-CERT encourages asset owners to minimize network exposure for all control system devices. Critical devices should not directly face the Internet. Locate control system networks and remote devices behind firewalls, and isolate them from the business network. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
The Control Systems Security Program (CSSP) also provides a section for control system security related recommended practices on the CSSP web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:
For any questions related to this report, please contact the NCCIC at:
Toll Free: 1-888-282-0870
The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.