US-CERT warns of SQL holes in SCADA control systems

Independent security researcher Dan Rosenberg, who works with Virtual Security Research (VSR), has discovered an unauthenticated Structured Query Language (SQL) vulnerability in the Ecava IntegraXor human machine interface (HMI) product that could allow data leakage, data manipulation and remote code execution against the back-end host running the database service, US-CERT said.

IntegraXor is deployed in several areas of process control in 38 countries around the world, with the largest installed bases in the United Kingdom, United States, Australia, Poland, Canada and Estonia. The vulnerability affects all IntegraXor versions prior to Version 3.60 (Build 4032).

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) advises users to locate control system networks and remote devices behind firewalls and isolate them from the business network. If remote access is required, secure methods such as virtual private networks (VPNs) should be used.

In a blog post, IntegraXor said: "Earlier we announced that the SQL vulnerability issue has been resolved by adding read/write security control onto database configuration, however the security researcher Dan Rosenberg from VSR claimed that the vulnerability is not fully patched. We were forced to put this issue aside as we have put on hold too many other features requested earlier, and then when we returned to merge the production line with security fix, we were dragged by some crash issues for this fix and worse still bumped into unnecessary problems due to breaking change in ADO update KB983246 (included in Windows 7 Service Pack 1)."

Another security researcher, Luigi Auriemma, has identified several issues with Siemens Tecnomatix FactoryLink, IGSS (Interactive Graphical Scada System) and Iconics GENESIS32 Scada-based systems on his website.

This story was first published by Computer Weekly

What’s hot on Infosecurity Magazine?