Category Archives: Vulnerability Note

Security Issue for DLL Vulnerability Note

Security researcher Praveen Darshanam have reported to IGX developer on a new DLL vulnerability via US-CERT. This is the second DLL vulnerability on top of previously found DLL hijack issues. The vulnerability is about replacing the genuine DLL files with malicious DLL files in program directory.

IGX developers have patched the reported vulnerability and released the fix. The fix has been included in latest Release which can be obained at this link: http://www.integraxor.com/download/rc.msi?4.2.4488. All previous release before build 4488 will have this vulnerability impact. Please download and use this build or any later release to fix this vulnerability. We wish to take this opportunity to remind user to always install programs in the “Program Files” or “Program Files (x86)” folder, which offers additional administrator’s protection.

Summary of Event
  • 30-Jan-2015: ICS CERT contacted IntegraXor support team for ICS-VU-133099.
  • 30-Jan-2015: Technical report for the vulnerability is received.
  • 18-Mar-2015: Security fixed is issued for validation & general download.
  • 26-Mar-2015: Security researcher has verified the fix.
  • 01-Apr-2015: Public announcement is made by IntegraXor support team.

Account Information Disclosure Vulnerability Note

Security researcher Andrea Micalizzi aka rgod has disclosed information on a guest account information disclosure vulnerability in IntegraXor via ZDI (Zero Day Initiative), who in turn, coordinated the information with NCCIC/ICS-CERT.

IGX developers have patched the reported vulnerability and the fix has been released in earlier release candidate build 4393. And now included in latest Official Release build 4410 which can be obained at this link: http://www.integraxor.com/download/igsetup.msi?4.1.4410. All previous release before build 4393 will have this vulnerability impact. Please download and use this build or any later release to fix this vulnerability.

For compatibility reason, user must manually turn on Enhanced User Security (under security tree) in order to enable Account Information encryption to mitigate this vulnerability. The account information encryption will be enforced or set as default setting in the next major release.

One of the prerequisite of this vulnerability is to have the full path of the project URL. So user shall avoid to share or publish the deployed project URL. And also avoid to use the system default port number.

Summary of Event
  • 19-Dec-2013: ICS CERT Contacted IntegraXor support team.
  • 19-Dec-2013: Technical report for the vulnerability is received.
  • 21-Feb-2014: Security fixed is issued as Release Candidate in build 4393 for general download.
  • 19-Mar-2014: Security fixed is issued as official release in build 4410 for general download.
  • 01-Apr-2014: Public announcement is made by IntegraXor support team.

Buffer Overflow Vulnerability Note

Security researcher Luigi Auriemma has disclosed information on a buffer overflow vulnerability in IntegraXor. He presented this vulnerability at the S4 conference yesterday. We would like to thank ICS-CERT for notifying IGX development team accordingly.

IGX developers have patched the reported vulnerability and released the fix on the same day the report is received. The fix has been included in latest Release which can be obained at this link: http://www.integraxor.com/download/rc.msi?4.1.4390. All previous release before build 4390 will have this vulnerability impact. Please download and use this build or any later release to fix this vulnerability.

One of the prerequisite of this vulnerability is to have the full path of the project URL. So please avoid to share or publish the deployed project URL. And also avoid to use the system default port number.

Summary of Event
  • 15-Jan-2014: Security researcher presented in S4 conference.
  • 15-Jan-2014: ICS CERT Contacted IntegraXor support team.
  • 16-Jan-2014: Technical report for the vulnerability is received.
  • 16-Jan-2014: Security fixed is issued as Release Candidate for general download.
  • 16-Jan-2014: Public announcement is made by IntegraXor support team.

Security Issue for Project Directory Information Disclosure Vulnerability Note

Security researcher Alphazorx aka technically.screwed have reported via ZDI that a vulnerability may occur when a specially crafted URL could download certain files in the project directory.

IGX developers have patched the reported vulnerability and released the fix on the following day. The fix has been included in latest Release which can be obained at this link: http://www.integraxor.com/download/beta.msi?4.1.4369. All previous release before build 4369 will have this vulnerability impact. Please download and use this build or any later release to fix this vulnerability. We wish to take this opportunity to remind user to use VPN for any Internet facing system.

Summary of Event
  • 07-Nov-2013: ICS CERT contacted IntegraXor support team.
  • 08-Nov-2013: Technical report for the vulnerability is received.
  • 08-Nov-2013: Security fixed is issued for validation & general download.
  • 05-Dec-2013: ICS CERT proposed to proceed without researcher validation.
  • 20-Dec-2013: Public announcement is made by IntegraXor support team.

Security Issue for ActiveX enabled browser Vulnerability Note

Security researcher Andrew Brooks have reported a vulnerability that may occur when a specially crafted HTML document is opened with ActiveX enabled browser, typically Microsoft I.E.. Successful exploitation may crash the said browser. This attack has no impact on IntegraXor SCADA server itself.

IGX developers have taken proactive step to patch the reported vulnerability immediately on the next day, and has been included in latest Release which can be obtained at this link: http://www.integraxor.com/download/beta.msi?4.00.4283. All previous release before build 4283 will have this vulnerability impact. Please download and use this build or any future release to fix this ActiveX enabled browser vulnerability.

We wish to take this opportunity to remind user that IntegraXor SCADA mimic can run completely on standard compliant web technologies and do not rely on any plugin developed using ActiveX nor Java Applet system like other old-fashioned web system. As such please do not accept any suspicious external ActiveX content (web page) when running IntegraXor. User who use Firefox, Chrome or Safari will not be affected by this vulnerability.

Summary of Event
  • 12-Dec-2012: ICS CERT Contacted IntegraXor support team.
  • 13-Dec-2012: Technical report for the vulnerability is received and POC is acknowledged.
  • 14-Dec-2012: Security fixed is issued as release candidate for general download.
  • 03-Jan-2013: Security researcher(s) confirmed the vulnerability issue has been fixed.
  • 03-Jan-2013: Public announcement is made by IntegraXor support team.