Another zero-day exploit for SCADA systems
At present, there is a growing number of reports about flaws in software for Supervisory Control And Data Acquisition (SCADA) systems for industrial facilities. US firm ICS-CERT, which specialises in control systems, has already reported a number of flaws in SCADA software. In addition to the 35 former vulnerabilities and zero-day exploits discussed at the beginning of the week, another vulnerability and yet another zero-day exploit have now popped up.
Security specialist Ruben Santamarta has published code demonstrating a flaw in the web-based virtualisation software WebAccess from BroadWin. The code reportedly allows a flaw in WebAccess Network Service's RPC interface to be exploited allowing code to be injected. Santamarta says he informed ICS-CERT in advance, and the firm contacted the vendor.
ICS-CERT said that the vendor was not able to confirm the flaw. Santamarta later wrote that the vendor denied the flaw's existence, so he published the exploit. In lieu of a patch, ICS-CERT recommends that BroadWin users protect their systems with a firewall and use VPNs for remote access. BroadWin software is used around the world and is also sold by Advantech.
In addition, ICS-CERT says it has found a SQL injection vulnerability in the IntegraXor software from Malaysian vendor Ecava. The firm says that attackers can exploit the flaw to manipulate the database and execute arbitrary code. According to ICS-CERT, the software is used in 38 countries, including the US, Australia, the UK, Poland, and Canada. All versions before 3.60 (build 4032) are affected; an update to build 4050 remedies the problem.
The vendor has also released build 4042, but it does not completely solve the problem. Update: The vendor says that build 4042 was a release candidate for the fixed version which was sent to ICS CERT for verification; build 4050 is the official release for public download.