Upcoming Virtual Event: Cloud Security Summit | July 17 - Register Now
Connect with us

Hi, what are you looking for?



Path Traversal Flaw Found in ICONICS WebHMI

A researcher has identified a serious path traversal vulnerability in a web-based human machine interface (HMI) product from industrial automation software developer ICONICS.

A researcher has identified a serious path traversal vulnerability in a web-based human machine interface (HMI) product from industrial automation software developer ICONICS.

ICONICS WebHMI allows managers, supervisors and operators to remotely access reports, graphics, historical trends and alarms from any web browser. The product has been used primarily in the United States and Europe in sectors such as energy, commercial facilities, healthcare, water, and food and agriculture.Vulnerability in ICONICS WebHMI

Maxim Rupp, a German researcher who specializes in ICS/SCADA security, discovered that the product is plagued by a directory traversal flaw (CVE-2016-2289) that allows a remote attacker to access configuration files storing password hashes and other information. The issue was reported to ICS-CERT on December 22, 2015, which in turn notified the vendor.

The vulnerability affects ICONICS WebHMI version 9 and earlier, and it has been assigned a CVSS score of 9.8, which puts it in the “high severity” category. Rupp told SecurityWeek that the information found in the exposed configuration files could in theory be used to gain access to other systems, but the expert believes it’s unlikely to happen.

For an attack to be successful, the attacker needs to be able to send a request to a vulnerable WebHMI product. ICONICS has not released patches for the vulnerability and instead advised users of vulnerable versions to avoid exposing the product directly to the Internet.

The company has also advised customers to upgrade the product to version 10 and apply the security features available in this newer release.

“ICS-CERT Advisory ICSA-16-091-01 pertains to ICONICS’ WebHMI product (Version 9 and earlier). The current version of WebHMI (Version 10) has been on the market since 2008 and is not affected by this potential vulnerability. ICONICS advises Version 9 customers who want to expose the product directly to the Internet to upgrade their existing product to Version 10 and apply the security features available in this newer release. ICONICS’ latest products include cloud connectivity with built-in advanced security and encryption features,” ICONICS told SecurityWeek.

“ICONICS recommends that customers using WebHMI Version 9 or earlier avoid exposing the product directly to the Internet, following the prescribed Mitigation steps listed on the ICS-CERT Web site. Any current project deployed via Version 9 or earlier should be protected behind a company firewall. ICONICS is currently working on a patch to address this vulnerability,” the company added.

Over the past years, ICS-CERT has published several advisories for vulnerabilities in ICONICS products. Most of the advisories cover issues affecting GENESIS, the company’s suite of OPC, SNMP, BACnet and web-enabled HMI and SCADA applications.

Advertisement. Scroll to continue reading.

Maxim Rupp has been credited for responsibly reporting vulnerabilities in many ICS/SCADA products, including XZERES wind turbines, Tollgrade’s LightHouse SMS power distribution monitoring product, Honeywell’s Tuxedo Touch automation controllers and Midas gas detectors, and Chiyu Technology fingerprint access controllers.

*Updated with statement from ICONICS

Related: Learn More at the ICS Cyber Security Conference

Related: Hackers Can Remotely Unlock Doors via Flaw in HID Controllers

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

Craig Boundy has left Experian to join McAfee as President and CEO.

Forcepoint has promoted Ryan Windham from Chief Customer and Strategy Officer to Chief Executive Officer.

ICS and OT cybersecurity solutions provider TXOne Networks appointed Stephen Driggers as its new CRO.

More People On The Move

Expert Insights