IntegraXor 3.5 SCADA Security Issue 20101006-0109 Vulnerability Note

Earlier this October, the Industrial Control System Cyber Emergency Team (ICS-CERT), managed and operated by the United States Department of Homeland Security Control Systems Security Program, has received a report from an independent security researcher of a vulnerability in IntegraXor. ICS-CERT works in coordination with US-CERT, with a focus on control systems cyber security. Below is the contact details for additional information.
US CERT Contact Info

The independent security researcher, Jeremy Brown has indicated that previous versions (before 3.53900.10) of IntegraXor have a security vulnerability whereby an attacker may exploit the system on the SCADA server machine by using malware, badware or any type of viruses that specifically target IntegraXor. IntegraXor development team has immediately acknowledged and fixed the loophole, and the patched version has been released as “igsetup-3.5.3900.10.msi” and there after. Note that this security vulnerability has no impact on the client machine or Internet access.

As part of the procedure, we are making this public announcement on this vulnerability; however, before that we have requested a grace period from ICS-CERT and security researcher to announce this vulnerability by the end of 2010 so that our existing registered users can upgrade their previous version accordingly. We urge our existing registered users who are still using any version earlier than 3.5.3900.10 to download the latest version from our download page and migrate their existing project to the latest version ASAP so their SCADA system will not be exposed to this vulnerability. Meanwhile, please ensure that the SCADA machine is protected by an anti-virus system upgraded with latest virus pattern. We are truly sorry for the inconvenience caused and will support our users in migrating old project to current version of IntegraXor. Please contact [email protected] for any support issue.

Summary of Event
  • 06-Oct-2010: ICS CERT Contacted IntegraXor support team.
  • 07-Oct-2010: Technical report for the vulnerability is received.
  • 08-Oct-2010: Security fixed is issued as Release Candidate for inspection.
  • 14-Oct-2010: Security fixed is issued as official release for general download.
  • 15-Oct-2010: Security researcher confirmed the vulnerability issue has been fixed. Grace period of two month before public announcement is started.
  • 15-Dec-2010: Public announcement is made by IntegraXor support team.