Serious hole in critical-infrastructure software, says U.S.

The U.S. government is warning critical-infrastructure operators of a serious hole in software used in oil and gas; water; electric utilities; and manufacturing plants around the world.

The stack overflow vulnerability affects the Genesis32 supervisory control and data acquisition (SCADA) and BizViz software sold by ICONICS, according to an advisory (PDF) released yesterday by the Department of Homeland Security's ICS-CERT (Industrial Control Systems Cyber Emergency Response Team). ICONICS has issued a patch to close the hole, which could allow an attacker to remotely execute code and take control of the computer.

Meanwhile, an exploit targeting the vulnerability was publicly available, the advisory said. To be successful, an attacker would need to use social engineering to lure a user with the "GenVersion.dll" (dynamic-link library) ActiveX control installed to visit a Web page that hosts malicious JavaScript. The dynamic-link library is a component of WebHMI (human machine interface) used in the ICONICS software, according to the advisory, which cited a report (PDF) by researchers at Security-Assessment.com.

"This vulnerability requires moderate skill to exploit," the warning said.

Fifty-five percent of the Genesis32 installations are in the U.S., 45 percent are in Europe, and 5 percent are in Asia, according to Foxborough, Mass.-based ICONICS.

The advisory comes less than two months after the ISC-CERT and several researchers warned of a handful of holes in different SCADA software.

Security issues with software used to monitor and control critical-infrastructure systems are cropping up more and more as those systems adopt Web-based technologies that provide channels into previously isolated networks.