In association with heise online

13 May 2011, 17:11

SCADA system vulnerable to ActiveX control attack

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Zoom GENESIS32 process control software.
Source: ICONICS Inc
ICS-CERT, which specialises in industrial control systems (ICS), is once more warningPDF of a critical vulnerability, this time in Genesis32 and Genesis64, the 32- and 64-bit versions of Iconics web-based SCADA process control system. The buffer overflow vulnerability in the GenVersion.dll ActiveX control could be exploited by attackers to inject malicious code into control computers. Exploitation merely requires the user of the control computer to visit an infected web site. Once a system is infected, an attacker may be able to obtain control of the industrial system (e.g. a power station or factory) controlled by the Genesis control system.

The vulnerability was discovered by researchers from Security Assessment in late April. They releasedPDF an advisory which included a JavaScript-based exploit. The vendor has now fixed the vulnerability by means of update WebHMI V9.21. Users of the company's BizViz analysis software should also install the update, as that also contains the vulnerable ActiveX control.

US-based ICS-CERT issued an urgent warning of 35 vulnerabilities in SCADA systems just two months ago – that list also included Iconics' Genesis.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit