Multiple Security Issues Vulnerability Note

Security researcher Marcus Richerson from San Diego State University have reported multiple security issues in his research. We are very thankful for his time spent especially on verifying the patches for many rounds.

IGX developers have patched the reported vulnerabilities and released the fix over time. The complete fix has been included in latest Release which can be obained at this link:

All previous release before this build 4522 will have these vulnerabilities impact. Please download and use this build or any later release to fix these vulnerabilities.

One particular found vulnerability is in fact a general feature that IGX could be configured to execute a command or external program before and after the project is loaded. This is claimed as vulnerability or ability to execute arbitrary code on a machine after the project file has been loaded and run.

The IGX team could not compromise to remove this functionality, but provided an innovative solution by restricting the execution of the program from within the path of “Program Files” or “Program Files (x86)” only. This mean attackers could not send malicious SCADA project files to S.I. for executing malicious code and gain full access to the machine, because all programs installed or copied into Program Files folder must have authorized by the system admin. As such IGX users will get to continue to enjoy this functionality without tolerant with their security.

On the other hand, another claimed vulnerability is about lack of HTTPS support, whereby it’s a feature request that we planned in our development roadmap, and now expedited and released.

Summary of Event
  • 28-Aug-2015: ICS CERT contacted IntegraXor support team for ICS-VU-757465.
  • 31-Aug-2015: Technical report for the vulnerabilities is received.
  • 24-Sep-2015: ICS CERT contacted IntegraXor support team for ICS-VU-682605.
  • 24-Sep-2015: Support team confirmed ICS-VU-682605 is one of the vuln found in ICS-VU-757465.
  • 01-Oct-2015: Fixed some vulns and released gradually.
  • 12-Oct-2015: Vulnerability found in ICS-VU-682605 is fixed in beta.
  • 04-Mar-2016: Released to researcher for verification.
  • 15-Mar-2016: Security researcher still found some issues outstanding.
  • 16-Mar-2016: Released updated version to researcher for verification.
  • 21-Mar-2016: Security researcher still found not all issues mitigated.
  • 23-Mar-2016: Released updated version to researcher for verification.
  • 12-Apr-2016: Public announcement is made by IntegraXor support team.