SCADA Developer Network

Security researcher Andrew Brooks have reported a vulnerability that may occur when a specially crafted HTML document is opened with ActiveX enabled browser, typically Microsoft I.E.. Successful exploitation may crash the said browser. This attack has no impact on IntegraXor SCADA server itself.

IGX developers have taken proactive step to patch the reported vulnerability immediately on the next day, and has been included in latest Release which can be obtained at this link: http://www.integraxor.com/download/beta.msi?4.00.4283. All previous release before build 4283 will have this vulnerability impact. Please download and use this build or any future release to fix this ActiveX enabled browser vulnerability.

We wish to take this opportunity to remind user that IntegraXor SCADA mimic can run completely on standard compliant web technologies and do not rely on any plugin developed using ActiveX nor Java Applet system like other old-fashioned web system. As such please do not accept any suspicious external ActiveX content (web page) when running IntegraXor. User who use Firefox, Chrome or Safari will not be affected by this vulnerability.

Summary of Event

• 12-Dec-2012: ICS CERT Contacted IntegraXor support team.
• 13-Dec-2012: Technical report for the vulnerability is received and POC is acknowledged.
• 14-Dec-2012: Security fixed is issued as release candidate for general download.
• 03-Jan-2013: Security researcher(s) confirmed the vulnerability issue has been fixed.
• 03-Jan-2013: Public announcement is made by IntegraXor support team.

Web developers surely heard of acronym like HTML, CSS, JS, XML etc. But, what about XSS? It’s something a good boy never bother to know, until one day he’s been threaten so. As such we learned the details to defense ourselves, and all you need to do is to upgrade to the latest version to get the SCADA system protected.

Summary of Event

• 13-Apr-2011: ICS CERT Contacted IntegraXor support team that a Security Researcher has discovered XSS vulnerarity in IntegraXor system.
• 14-Apr-2011: 5 Exploit Codes for the vulnerability is received.
• 18-Apr-2011: IntegraXor Support Team confirmed to US-CERT that only 1 out of 5 Exploit Codes is valid. Another 1 is due to database read level security configuration which was set to zero on demo project, hence has nothing to patch.
• 22-Apr-2011: Thanks to US-CERT Malware Team who has confirmed our finding with a very professional analysis report, and they managed to twist one of the invalid exploit code to function. Hence made the total 2 out of 5 exploit codes valid.
• 04-May-2011: IntegraXor Support Team announced to ICS-CERT and Security Researcher all confirmed vulnerabilities have been patched for any version after RC 3.60.4061.
• 09-May-2011: Security fixed is issued as official release 3.60 Build 4080 for general download.
• 24-May-2011: Security researcher confirmed the vulnerability issue has been fixed.
• 27-May-2011: ICS CERT made public announcement.
• 09-Jun-2011: Public announcement was made by IntegraXor.

Image Credits:

Scroll: DooFi

Barricades: Rfc1394

HD Moore of Metasploit published a blog about Exploiting DLL Hijacking Flaws on Sunday, August 22, 2010, and then almost everyone who use Windows are at risk, because you can easily spot one familiar application in the long list of applications that prone for this vulnerabilitie, and IntegraXor is also affected for DLL Hijacking vulnerability. DLL Hijacking vulnerability within IntegraXor was found since end of last year, this is thus far the longest vulnerability that we put on hold to patch. The biggest reason is we need to put our existing customers’ requests in priority, and this vulnerability is an attack which may have some lead way on the time line. As such we put this vulnerability in a lower priority to mitigate as compare to other security vulnerabilities that found later.

Summary of Event

• 22-Dec-2010: An anonymous security researcher that addressed himself/herself as “Mister Teatime” has published an “Uncoordinated Disclosure” of a DLL Hijacking vulnerability at The Open Source Vulnerability Database.
• 28-Dec-2010: ICS-CERT published a security alert.
• 12-Jan-2011: ICS-CERT contacted IntegraXor Support Team for confirmation.
• 17-May-2011: Build 4081 with patch was sent to ICS-CERT for verification.
• 25-May-2011: ICS-CERT confirmed DLL hijacking has been patched.
• 30-May-2011: IntegraXor support team issued VN and declared all version after build 4081 are patched for DLL Hijacking attack.

Note: The screenshot/drawing is published under Creative Commons Attribution 3.0 US License.

Earlier we announced that SQL vulnerability issue has been resolved by adding Read/Write security control onto database configuration, however the security researcher Dan Rosenberg from VSR claimed that the vulnerability is not fully patched. We were forced to put this issue aside as we have putting on hold too many other features request earlier, and then when we returned to merge the production line with security fix, we were dragged by some crash issues for this fix and worst still bumped into unnecessary problem that due to breaking change in ADO update KB983246 (included in Windows 7 Service Pack 1).

And after the vulnerability is fixed we ourselves have been confused by the default configuration that has no Write security control. And finally after more tests and clarification from developer and analysts, last week ICS-CERT has confirmed via email that the reported SQL Unauthenticated Vulnerability has been resolved, that was right before we almost need to setup a conference call with ICS-CERT analysts.

So by the time ICS-CERT confirmed that issue has been *completely* resolved, the correspondence on one single vulnerability has accumulated up to 53 messages that span across three months. So far this is the vulnerability issue that we find most tedious to solve, and again we thank ICS-CERT for helping up in verifying this fix.

Due to the confusion arised, we have decided to accept ICS-CERT recommendation to make Write security level default to a value of 100, but Read level remains as 0 which is open for world reading. This means guest user no longer allow to acknowledge alarm nor delete any report by default, starting from this Release Candidate version 3.60.4042 or for any other version later.

SQL Authentication Vulnerability

IntegraXor 3.6.4000.5 is now added with Read and Write level column to database table which allows user to configure security level for individual database entry. Now only user with security level higher than or equal to the read level can browse for trend and alarm data, and user with security level higher than or equal to the write level can acknowledge alarm. The credit for finding this vulnerability goes to Security Researcher from Virtual Security Research who has reported to ICS-CERT at 22nd December 2010.

Every database could have its own read and write level setting which associated to User level/privilege setting. Note that the default level for both read/write is nil which has no security, this is to ensure compatibility issue for previously developed project. User must manually enter higher level of security as per project requirement.

Along with this SQL authentication feature, we have also fit in the improvement done for Watch List – Now Watch Window could save user defined list created across session. And also server stability improvement. Lastly, debugging messages in status output will be hidden when debug mode is turned off.

Summary of Event

• 22-Dec-2010: ICS CERT Contacted IntegraXor support team. Technical report for the vulnerability is received.
• 27-Dec-2010: IntegraXor development team acknowledged the vulnerability.
• 11-Jan-2011: Security fixed is issued as official release for general download.
• 11-Jan-2011: Public announcement is made by IntegraXor support team.