Category Archives: Vulnerability Note

Account Information Disclosure Vulnerability Note

Security researcher Andrea Micalizzi aka rgod has disclosed information on a guest account information disclosure vulnerability in IntegraXor via ZDI (Zero Day Initiative), who in turn, coordinated the information with NCCIC/ICS-CERT.

IGX developers have patched the reported vulnerability and the fix has been released in earlier release candidate build 4393. And now included in latest Official Release build 4410 which can be obained at this link: http://www.integraxor.com/download/igsetup.msi?4.1.4410. All previous release before build 4393 will have this vulnerability impact. Please download and use this build or any later release to fix this vulnerability.

For compatibility reason, user must manually turn on Enhanced User Security (under security tree) in order to enable Account Information encryption to mitigate this vulnerability. The account information encryption will be enforced or set as default setting in the next major release.

One of the prerequisite of this vulnerability is to have the full path of the project URL. So user shall avoid to share or publish the deployed project URL. And also avoid to use the system default port number.

Summary of Event
  • 19-Dec-2013: ICS CERT Contacted IntegraXor support team.
  • 19-Dec-2013: Technical report for the vulnerability is received.
  • 21-Feb-2014: Security fixed is issued as Release Candidate in build 4393 for general download.
  • 19-Mar-2014: Security fixed is issued as official release in build 4410 for general download.
  • 01-Apr-2014: Public announcement is made by IntegraXor support team.

Buffer Overflow Vulnerability Note

Security researcher Luigi Auriemma has disclosed information on a buffer overflow vulnerability in IntegraXor. He presented this vulnerability at the S4 conference yesterday. We would like to thank ICS-CERT for notifying IGX development team accordingly.

IGX developers have patched the reported vulnerability and released the fix on the same day the report is received. The fix has been included in latest Release which can be obained at this link: http://www.integraxor.com/download/rc.msi?4.1.4390. All previous release before build 4390 will have this vulnerability impact. Please download and use this build or any later release to fix this vulnerability.

One of the prerequisite of this vulnerability is to have the full path of the project URL. So please avoid to share or publish the deployed project URL. And also avoid to use the system default port number.

Summary of Event
  • 15-Jan-2014: Security researcher presented in S4 conference.
  • 15-Jan-2014: ICS CERT Contacted IntegraXor support team.
  • 16-Jan-2014: Technical report for the vulnerability is received.
  • 16-Jan-2014: Security fixed is issued as Release Candidate for general download.
  • 16-Jan-2014: Public announcement is made by IntegraXor support team.

Security Issue for Project Directory Information Disclosure Vulnerability Note

Security researcher Alphazorx aka technically.screwed have reported via ZDI that a vulnerability may occur when a specially crafted URL could download certain files in the project directory.

IGX developers have patched the reported vulnerability and released the fix on the following day. The fix has been included in latest Release which can be obained at this link: http://www.integraxor.com/download/beta.msi?4.1.4369. All previous release before build 4369 will have this vulnerability impact. Please download and use this build or any later release to fix this vulnerability. We wish to take this opportunity to remind user to use VPN for any Internet facing system.

Summary of Event
  • 07-Nov-2013: ICS CERT contacted IntegraXor support team.
  • 08-Nov-2013: Technical report for the vulnerability is received.
  • 08-Nov-2013: Security fixed is issued for validation & general download.
  • 05-Dec-2013: ICS CERT proposed to proceed without researcher validation.
  • 20-Dec-2013: Public announcement is made by IntegraXor support team.

Security Issue for ActiveX enabled browser Vulnerability Note

Security researcher Andrew Brooks have reported a vulnerability that may occur when a specially crafted HTML document is opened with ActiveX enabled browser, typically Microsoft I.E.. Successful exploitation may crash the said browser. This attack has no impact on IntegraXor SCADA server itself.

IGX developers have taken proactive step to patch the reported vulnerability immediately on the next day, and has been included in latest Release which can be obtained at this link: http://www.integraxor.com/download/beta.msi?4.00.4283. All previous release before build 4283 will have this vulnerability impact. Please download and use this build or any future release to fix this ActiveX enabled browser vulnerability.

We wish to take this opportunity to remind user that IntegraXor SCADA mimic can run completely on standard compliant web technologies and do not rely on any plugin developed using ActiveX nor Java Applet system like other old-fashioned web system. As such please do not accept any suspicious external ActiveX content (web page) when running IntegraXor. User who use Firefox, Chrome or Safari will not be affected by this vulnerability.

Summary of Event
  • 12-Dec-2012: ICS CERT Contacted IntegraXor support team.
  • 13-Dec-2012: Technical report for the vulnerability is received and POC is acknowledged.
  • 14-Dec-2012: Security fixed is issued as release candidate for general download.
  • 03-Jan-2013: Security researcher(s) confirmed the vulnerability issue has been fixed.
  • 03-Jan-2013: Public announcement is made by IntegraXor support team.

Security Issue XSS Vulnerability Note

Web developers surely heard of acronym like HTML, CSS, JS, XML etc. But, what about XSS? It’s something a good boy never bother to know, until one day he’s been threaten so. As such we learned the details to defense ourselves, and all you need to do is to upgrade to the latest version to get the SCADA system protected.

Crossed site scripting illustration

Summary of Event
  • 13-Apr-2011: ICS CERT Contacted IntegraXor support team that a Security Researcher has discovered XSS vulnerarity in IntegraXor system.
  • 14-Apr-2011: 5 Exploit Codes for the vulnerability is received.
  • 18-Apr-2011: IntegraXor Support Team confirmed to US-CERT that only 1 out of 5 Exploit Codes is valid. Another 1 is due to database read level security configuration which was set to zero on demo project, hence has nothing to patch.
  • 22-Apr-2011: Thanks to US-CERT Malware Team who has confirmed our finding with a very professional analysis report, and they managed to twist one of the invalid exploit code to function. Hence made the total 2 out of 5 exploit codes valid.
  • 04-May-2011: IntegraXor Support Team announced to ICS-CERT and Security Researcher all confirmed vulnerabilities have been patched for any version after RC 3.60.4061.
  • 09-May-2011: Security fixed is issued as official release 3.60 Build 4080 for general download.
  • 24-May-2011: Security researcher confirmed the vulnerability issue has been fixed.
  • 27-May-2011: ICS CERT made public announcement.
  • 09-Jun-2011: Public announcement was made by IntegraXor.

Image Credits:

Scroll: DooFi

Barricades: Rfc1394