The U.S. government is warning critical-infrastructure operators of a serious
hole in software used in oil and gas; water; electric utilities; and
manufacturing plants around the world.
The stack overflow vulnerability affects the Genesis32 supervisory control
and data acquisition (SCADA) and BizViz software sold by ICONICS, according to
an advisory (PDF)
released yesterday by the Department of Homeland Security’s ICS-CERT (Industrial
Control Systems Cyber Emergency Response Team). ICONICS has issued a patch to
close the hole, which could allow an attacker to remotely execute code and take
control of the computer.
Meanwhile, an exploit targeting the vulnerability was publicly available, the
advisory said. To be successful, an attacker would need to use social
engineering to lure a user with the “GenVersion.dll” (dynamic-link library)
The dynamic-link library is a component of WebHMI (human machine interface) used
in the ICONICS software, according to the advisory, which cited a report (PDF)
by researchers at Security-Assessment.com.
“This vulnerability requires moderate skill to exploit,” the warning said.
Fifty-five percent of the Genesis32 installations are in the U.S., 45 percent
are in Europe, and 5 percent are in Asia, according to Foxborough, Mass.-based
The advisory comes less than two months after the ISC-CERT and several
researchers warned of a handful of holes in
different SCADA software.
Security issues with software used to monitor and control
critical-infrastructure systems are cropping up more and more as those systems
adopt Web-based technologies that provide channels into previously isolated