A popular set of SCADA software systems used in critical infrastructure around the world suffered from at least five known vulnerabilities that could have allowed for privilege escalation, DLL hijacking and the ability to modify critical files.
The vulnerabilities were found within a suite of software made by ICONICS, which claims on its website that its SCADA software is embedded in “hundreds of thousands of installations running in over 100 countries worldwide and running in over 70 percent of Global 500 companies.”
The flaws, which are known to affect versions 10.97.2 and 10.97.3 and possibly earlier versions, were discovered by Palo Alto Networks last year and have since been patched. However, public internet scans have identified “several dozen” vulnerable ICONICS servers that remain publicly connected to the internet.
“On unpatched ICONICS installations without any workarounds or remediations, these vulnerabilities could lead to escalation of privileges, [denial of service] and in specific circumstances, even full system compromise,” wrote researchers Asher Davila and Malav Vyas.
All five of the vulnerabilities rate between a 7 and 7.8 on the CVSS severity scale, and include flaws for DLL hijacking, file tampering, denial of service and dead code vulnerabilities.
According to Palo Alto Networks, ICONICS Suite servers are primarily used in the government, military, manufacturing, water and wastewater and energy sectors, and are used for automation, data analysis and industrial Internet of Things cloud integration. On the “success stories” section of its website, the company lists as clients dozens of power and wind generation facilities, airports, natural gas plants and localities around the world.
According to data from business intelligence vendor Enlyft, ICONICS software is used by large businesses like Amazon, IBM, Hewlett-Packard, and the vast majority of its clients are industrial businesses that are based in the United States.
ICONICS did not respond to CyberScoop’s request for comment on remediation, investigation details, and the vulnerabilities’ impact on earlier software versions.
Some of the weaknesses appear to relate to how ICONICS relies on older, less secure versions of other tools and components to make its software interoperable with industrial control systems.
One vulnerability (CVE-2024-7587) exploits default settings in how ICONICS software communicates with operational technology. This is done through use of a tool, called GenBroker, that works with legacy implementations of Open Platform Communications servers and other OT device communication protocols like Modbus and BACnet. But older 32-bit versions of GenBroker are vulnerable to privilege escalation attacks. ICONICS recommends using the older, insecure version on its configuration page, even when a more secure, 64-bit version is already installed on the device.
Another vulnerability (CVE-2024-1182) used an outdated version of a software development kit for SMS messaging known as Derdack’s Message Master that has “been deprecated for approximately 15 years with no ongoing support.”
“While no longer maintained, the Message Master SMS SDK is still integrated into the ICONICS Suite AlarmWorX MMX module,” researchers wrote. “This module is responsible for facilitating SMS and pager alerts. When those applications use Message Master SMS SDK, they are exposed to the underlying vulnerabilities present” in the software.
Newer versions of these tools were not immune to exploitation. The other three vulnerabilities described by Palo Alto Networks all exist within the latest versions of Genesis64 and GenBroker64, allowing for phantom DLL hijacking, lateral movement, abuse of trusted relationships and bypassing endpoint detection and response protections.
