ICS-CERT said that researcher Dillon Beresford has identified a memory corruption flaw in the Movicon 11 human machine interface (HMI) software that could enable a remote attacker to shutdown the system.
Movicon 11 is an XML-based HMI development system that includes drivers for programmable logic controllers and provides OPC-based connectivity for data transfer. The product is used in the energy, water, and certain critical manufacturing industries.
“An attacker can cause the server to read an invalid memory address resulting in a denial of service”, the agency explained in an advisory. It stressed that there are no known exploits of the vulnerability.
ICS-CERT explained that the actual impact of the vulnerability to organizations “depends on many factors that are unique to each organization.” The agency recommended that each organization evaluate the impact based on operational environment, architecture, and product implementation.
Italian firm Progea has released a new version of the product, version 11.3, which fixes the flaw, according to the advisory. Beresford, who works for IXIA, confirmed that the fix works, it added.