Security researcher Luigi Auriemma has disclosed information on a buffer overflow vulnerability in IntegraXor. He presented this vulnerability at the S4 conference yesterday. We would like to thank ICS-CERT for notifying IGX development team accordingly.
IGX developers have patched the reported vulnerability and released the fix on the same day the report is received. The fix has been included in latest Release which can be obained at this link: http://www.integraxor.com/download/rc.msi?4.1.4390. All previous release before build 4390 will have this vulnerability impact. Please download and use this build or any later release to fix this vulnerability.
One of the prerequisite of this vulnerability is to have the full path of the project URL. So please avoid to share or publish the deployed project URL. And also avoid to use the system default port number.
Summary of Event
- 15-Jan-2014: Security researcher presented in S4 conference.
- 15-Jan-2014: ICS CERT Contacted IntegraXor support team.
- 16-Jan-2014: Technical report for the vulnerability is received.
- 16-Jan-2014: Security fixed is issued as Release Candidate for general download.
- 16-Jan-2014: Public announcement is made by IntegraXor support team.
Security researcher Alphazorx aka technically.screwed have reported via ZDI that a vulnerability may occur when a specially crafted URL could download certain files in the project directory.
IGX developers have patched the reported vulnerability and released the fix on the following day. The fix has been included in latest Release which can be obained at this link: http://www.integraxor.com/download/beta.msi?4.1.4369. All previous release before build 4369 will have this vulnerability impact. Please download and use this build or any later release to fix this vulnerability. We wish to take this opportunity to remind user to use VPN for any Internet facing system.
Summary of Event
- 07-Nov-2013: ICS CERT contacted IntegraXor support team.
- 08-Nov-2013: Technical report for the vulnerability is received.
- 08-Nov-2013: Security fixed is issued for validation & general download.
- 05-Dec-2013: ICS CERT proposed to proceed without researcher validation.
- 20-Dec-2013: Public announcement is made by IntegraXor support team.
Security researcher Andrew Brooks have reported a vulnerability that may occur when a specially crafted HTML document is opened with ActiveX enabled browser, typically Microsoft I.E.. Successful exploitation may crash the said browser. This attack has no impact on IntegraXor SCADA server itself.
IGX developers have taken proactive step to patch the reported vulnerability immediately on the next day, and has been included in latest Release which can be obtained at this link: http://www.integraxor.com/download/beta.msi?4.00.4283. All previous release before build 4283 will have this vulnerability impact. Please download and use this build or any future release to fix this ActiveX enabled browser vulnerability.
We wish to take this opportunity to remind user that IntegraXor SCADA mimic can run completely on standard compliant web technologies and do not rely on any plugin developed using ActiveX nor Java Applet system like other old-fashioned web system. As such please do not accept any suspicious external ActiveX content (web page) when running IntegraXor. User who use Firefox, Chrome or Safari will not be affected by this vulnerability.
Summary of Event
- 12-Dec-2012: ICS CERT Contacted IntegraXor support team.
- 13-Dec-2012: Technical report for the vulnerability is received and POC is acknowledged.
- 14-Dec-2012: Security fixed is issued as release candidate for general download.
- 03-Jan-2013: Security researcher(s) confirmed the vulnerability issue has been fixed.
- 03-Jan-2013: Public announcement is made by IntegraXor support team.
Web developers surely heard of acronym like HTML, CSS, JS, XML etc. But, what about XSS? It’s something a good boy never bother to know, until one day he’s been threaten so. As such we learned the details to defense ourselves, and all you need to do is to upgrade to the latest version to get the SCADA system protected.
Summary of Event
- 13-Apr-2011: ICS CERT Contacted IntegraXor support team that a Security Researcher has discovered XSS vulnerarity in IntegraXor system.
- 14-Apr-2011: 5 Exploit Codes for the vulnerability is received.
- 18-Apr-2011: IntegraXor Support Team confirmed to US-CERT that only 1 out of 5 Exploit Codes is valid. Another 1 is due to database read level security configuration which was set to zero on demo project, hence has nothing to patch.
- 22-Apr-2011: Thanks to US-CERT Malware Team who has confirmed our finding with a very professional analysis report, and they managed to twist one of the invalid exploit code to function. Hence made the total 2 out of 5 exploit codes valid.
- 04-May-2011: IntegraXor Support Team announced to ICS-CERT and Security Researcher all confirmed vulnerabilities have been patched for any version after RC 3.60.4061.
- 09-May-2011: Security fixed is issued as official release 3.60 Build 4080 for general download.
- 24-May-2011: Security researcher confirmed the vulnerability issue has been fixed.
- 27-May-2011: ICS CERT made public announcement.
- 09-Jun-2011: Public announcement was made by IntegraXor.
HD Moore of Metasploit published a blog about Exploiting DLL Hijacking Flaws on Sunday, August 22, 2010, and then almost everyone who use Windows are at risk, because you can easily spot one familiar application in the long list of applications that prone for this vulnerabilitie, and IntegraXor is also affected for DLL Hijacking vulnerability.
DLL Hijacking vulnerability within IntegraXor was found since end of last year, this is thus far the longest vulnerability that we put on hold to patch. The biggest reason is we need to put our existing customers’ requests in priority, and this vulnerability is an attack which may have some lead way on the time line. As such we put this vulnerability in a lower priority to mitigate as compare to other security vulnerabilities that found later.
Summary of Event
- 22-Dec-2010: An anonymous security researcher that addressed himself/herself as “Mister Teatime” has published an “Uncoordinated Disclosure” of a DLL Hijacking vulnerability at The Open Source Vulnerability Database.
- 28-Dec-2010: ICS-CERT published a security alert.
- 12-Jan-2011: ICS-CERT contacted IntegraXor Support Team for confirmation.
- 17-May-2011: Build 4081 with patch was sent to ICS-CERT for verification.
- 25-May-2011: ICS-CERT confirmed DLL hijacking has been patched.
- 30-May-2011: IntegraXor support team issued VN and declared all version after build 4081 are patched for DLL Hijacking attack.
Note: The screenshot/drawing is published under Creative Commons Attribution 3.0 US License.