Canada-based Trihedral Engineering Ltd. has released software updates to address a security vulnerability that can be leveraged to cause VTScada servers to crash.
VTScada (VTS) is a control and monitoring application for supervisory control and data acquisition (SCADA) systems. The product is used in industries such as chemical, energy, communications, critical manufacturing, transportation, and food and agriculture mainly in North America and Europe.
According to an advisory published on Tuesday by the Industrial Control Systems Computer Emergency Response Team (ICS-CERT), the software is plagued by a remotely exploitable integer overflow vulnerability.
“An attacker can cause VTScada to crash on an Internet server if a specifically crafted malformed network request is made to VTScada, even if that attacker does not have security credentials on the server. The malformed network request causes an integer overflow resulting in the attempted allocation of an excessively large buffer. The failure to allocate this buffer will terminate the VTScada server. The crash would not occur accidentally as a result of normal use,” ICS-CERT said.
The vulnerability, CVE-2014-9192, was discovered by an anonymous researcher who reported it through HP’s Zero Day Initiative (ZDI). The flaw affects VTScada versions 6.5 through 9.1.19, versions 10 through 10.2.21, and versions 11.0 through 11.1.07.
The vendor addressed the bug with the release of versions 11.1.09, 10.2.22 and 09.1.20. The updates are available on Trihedral’s FTP server. Exploits have not been spotted in the wild, but organizations are advised to update their installations since even a less skilled attacker can exploit the vulnerability.
ICS-CERT also advises organizations to minimize exposure for critical control systems by isolating them from the Internet and the business network, place sensitive systems behind firewalls, and use virtual private networks (VPNs) and other secure methods when remote access is required.
Vulnerabilities in SCADA products are not uncommon. In September, three security holes were uncovered in Schneider Electric solutions, and last month, Siemens fixed critical flaws that exposed SCADA systems to remote attacks.
