All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.
This advisory is a follow-up to ICS-ALERT-10-355-01 - Ecava IntegraXor Directory Traversal, published on the ICS-CERT Web page on December 21, 2010.
ICS-CERT has become aware of a directory traversal vulnerability in the Ecava IntegraXor Human-Machine Interface (HMI) product that could allow data leakage. ICS-CERT is currently in contact with representatives of Ecava who have verified the vulnerability. Ecava has developed and released a patch to mitigate the vulnerability (igsetup-3.6.4000.1.msi or later) and has notified its customer base of the availability of the patch (http://www.integraxor.com/download/igsetup.msi). This patch has been verified by both the ICS-CERT and the independent security researcher.
This vulnerability affects all IntegraXor versions prior to Version 3.6 (Build 4000.0). For more information, customers can contact Ecava support at email@example.com.
IntegraXor is currently used in several areas of process control in 38 countries around the world with the largest installation bases being in the United Kingdom, United States, Australia, Poland, Canada, and Estonia.
While a successful exploit of this vulnerability could lead to arbitrary data leakage, the impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their environment, architecture, and product implementation.
Ecava Sdn Bhda is a Malaysia-based software development company that provides the IntegraXor product. Ecava specializes in factory and process automation solutions.
IntegraXor is a suite of tools used to create and run a web-based HMI interface for a Supervisory Control and Data Acquisition (SCADA) system.
IntegraXor is vulnerable to a directory traversal exploit. An attacker may add an arbitrary path and file and read any arbitrary file.
This vulnerability is exploitable from a remote machine.
Existence of Exploit
This exploit is publicly known and available.
A low level of skill is needed to exploit this vulnerability.
ICS-CERT recommends that users of Ecava IntegraXor take the following mitigation steps:
- Update IntegraXor to the latest version and install the latest patch.
Ecava has developed and released a patch to mitigate the vulnerability (http://www.integraxor.com/download/igsetup.msi). For more information, customers can contact Ecava support at firstname.lastname@example.org.
- Minimize network exposure for all control system devices. Critical devices should not directly face the Internet. Control system networks and remote devices should be located behind firewalls and be isolated from the business network. If remote access is required, secure methods such as Virtual Private Networks (VPNs) should be used.
Organizations should follow their established internal procedures if any suspected malicious activity is observed and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations that proper impact analysis and risk assessment should be performed prior to taking defensive measures.
The Control System Security Program also provides a recommended practices section for control systems on the US-CERT website. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
- a. Ecava, http://www.ecava.com/indexhtm, web page last accessed November 16, 2010.
For any questions related to this report, please contact the NCCIC at:
Toll Free: 1-888-282-0870
The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.