Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Path Traversal Flaw Found in ICONICS WebHMI

A researcher has identified a serious path traversal vulnerability in a web-based human machine interface (HMI) product from industrial automation software developer ICONICS.

A researcher has identified a serious path traversal vulnerability in a web-based human machine interface (HMI) product from industrial automation software developer ICONICS.

ICONICS WebHMI allows managers, supervisors and operators to remotely access reports, graphics, historical trends and alarms from any web browser. The product has been used primarily in the United States and Europe in sectors such as energy, commercial facilities, healthcare, water, and food and agriculture.Vulnerability in ICONICS WebHMI

Maxim Rupp, a German researcher who specializes in ICS/SCADA security, discovered that the product is plagued by a directory traversal flaw (CVE-2016-2289) that allows a remote attacker to access configuration files storing password hashes and other information. The issue was reported to ICS-CERT on December 22, 2015, which in turn notified the vendor.

The vulnerability affects ICONICS WebHMI version 9 and earlier, and it has been assigned a CVSS score of 9.8, which puts it in the “high severity” category. Rupp told SecurityWeek that the information found in the exposed configuration files could in theory be used to gain access to other systems, but the expert believes it’s unlikely to happen.

For an attack to be successful, the attacker needs to be able to send a request to a vulnerable WebHMI product. ICONICS has not released patches for the vulnerability and instead advised users of vulnerable versions to avoid exposing the product directly to the Internet.

The company has also advised customers to upgrade the product to version 10 and apply the security features available in this newer release.

“ICS-CERT Advisory ICSA-16-091-01 pertains to ICONICS’ WebHMI product (Version 9 and earlier). The current version of WebHMI (Version 10) has been on the market since 2008 and is not affected by this potential vulnerability. ICONICS advises Version 9 customers who want to expose the product directly to the Internet to upgrade their existing product to Version 10 and apply the security features available in this newer release. ICONICS’ latest products include cloud connectivity with built-in advanced security and encryption features,” ICONICS told SecurityWeek.

“ICONICS recommends that customers using WebHMI Version 9 or earlier avoid exposing the product directly to the Internet, following the prescribed Mitigation steps listed on the ICS-CERT Web site. Any current project deployed via Version 9 or earlier should be protected behind a company firewall. ICONICS is currently working on a patch to address this vulnerability,” the company added.

Over the past years, ICS-CERT has published several advisories for vulnerabilities in ICONICS products. Most of the advisories cover issues affecting GENESIS, the company’s suite of OPC, SNMP, BACnet and web-enabled HMI and SCADA applications.

Advertisement. Scroll to continue reading.

Maxim Rupp has been credited for responsibly reporting vulnerabilities in many ICS/SCADA products, including XZERES wind turbines, Tollgrade’s LightHouse SMS power distribution monitoring product, Honeywell’s Tuxedo Touch automation controllers and Midas gas detectors, and Chiyu Technology fingerprint access controllers.

*Updated with statement from ICONICS

Related: Learn More at the ICS Cyber Security Conference

Related: Hackers Can Remotely Unlock Doors via Flaw in HID Controllers

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...

Cybercrime

Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.