Major manufacturers and industrial companies in the UK, US and over 30 other countries are being urged to adopt a rapidly-released fix to their IntegraXor (IGX) industrial control software, following the discovery of a Zero Day vulnerability that allows attackers to crash the system.
The problem in IGX, a toolset used to create and run a web-based human-machine interface to SCADA industrial control systems, was revealed without warning at the S4 conference on 15 January by Malta-based security researcher Luigi Auriemma.
‘CVE-2014- 0753b' is a buffer overflow vulnerability that allows remote attackers to target the system. Exploits that target the vulnerability are known to be publicly available.
IGX is produced by Malaysia-based software developer Ecava Sdn Bhd, whose customers include BP, ExxonMobil, FMC, Honda, HSBC, Hyundai and Shell.
On the same day Auriemma revealed the flaw, the US Government's ICS-CERT team – who respond to cyber emergencies in the critical infrastructure area - issued an alert on the issue. The following day Ecava published a patch on its website which is available for users to download.
The ICS-CERT's advisory highlighted Auriemma's approach of revealing the flaw without consultation. It said: “Independent researcher Luigi Auriemma identified a buffer overflow vulnerability in the Ecava IntegraXor application without co-ordination with NCCIC/ICS-CERT, the vendor, or any other co-ordinating entity known to NCCIC/ICS-CERT. Ecava has produced a patch version that mitigates this vulnerability.”
But Auriemma explained his approach in an email to SCMagazineUK.com: “The business model of our company is to not disclose vulnerabilities publicly or to report them to vendors. The uncoordinated disclosing of this issue is interesting moreover because Ecava has a very controversial bug bounty programme in which they pay researchers with points for the licences of the product instead of money.”
“We tested the patch and it fixes the vulnerability.”
The quick reaction to his revelation reflects the critical nature of industrial control products, which is perhaps unsurprising in light of notorious cyber attacks like the Stuxnet worm, which targeted Iran's nuclear facilities.
But Ross Brewer, managing director for international markets at security intelligence specialist LogRhythm, told SCMagazineUK.com that many manufacturing, process control and critical national infrastructure companies are still weak on the area of cyber security.
“These organisations just need to start monitoring activity against all of their systems so they can look for abnormal behaviour which they are not doing today,” he said.
“Attacks on SCADA systems are becoming increasingly regular and the discovery of this latest vulnerability is yet another example of how vigilant users need to be. It really is the stuff of modern-day nightmares and more needs to be done to ensure these types of security gaps are spotted immediately."