Security Experts:

Path Traversal Flaw Found in ICONICS WebHMI

A researcher has identified a serious path traversal vulnerability in a web-based human machine interface (HMI) product from industrial automation software developer ICONICS.

ICONICS WebHMI allows managers, supervisors and operators to remotely access reports, graphics, historical trends and alarms from any web browser. The product has been used primarily in the United States and Europe in sectors such as energy, commercial facilities, healthcare, water, and food and agriculture.Vulnerability in ICONICS WebHMI

Maxim Rupp, a German researcher who specializes in ICS/SCADA security, discovered that the product is plagued by a directory traversal flaw (CVE-2016-2289) that allows a remote attacker to access configuration files storing password hashes and other information. The issue was reported to ICS-CERT on December 22, 2015, which in turn notified the vendor.

The vulnerability affects ICONICS WebHMI version 9 and earlier, and it has been assigned a CVSS score of 9.8, which puts it in the “high severity” category. Rupp told SecurityWeek that the information found in the exposed configuration files could in theory be used to gain access to other systems, but the expert believes it’s unlikely to happen.

For an attack to be successful, the attacker needs to be able to send a request to a vulnerable WebHMI product. ICONICS has not released patches for the vulnerability and instead advised users of vulnerable versions to avoid exposing the product directly to the Internet.

The company has also advised customers to upgrade the product to version 10 and apply the security features available in this newer release.

"ICS-CERT Advisory ICSA-16-091-01 pertains to ICONICS’ WebHMI product (Version 9 and earlier). The current version of WebHMI (Version 10) has been on the market since 2008 and is not affected by this potential vulnerability. ICONICS advises Version 9 customers who want to expose the product directly to the Internet to upgrade their existing product to Version 10 and apply the security features available in this newer release. ICONICS’ latest products include cloud connectivity with built-in advanced security and encryption features," ICONICS told SecurityWeek.

"ICONICS recommends that customers using WebHMI Version 9 or earlier avoid exposing the product directly to the Internet, following the prescribed Mitigation steps listed on the ICS-CERT Web site. Any current project deployed via Version 9 or earlier should be protected behind a company firewall. ICONICS is currently working on a patch to address this vulnerability," the company added.

Over the past years, ICS-CERT has published several advisories for vulnerabilities in ICONICS products. Most of the advisories cover issues affecting GENESIS, the company’s suite of OPC, SNMP, BACnet and web-enabled HMI and SCADA applications.

Maxim Rupp has been credited for responsibly reporting vulnerabilities in many ICS/SCADA products, including XZERES wind turbines, Tollgrade’s LightHouse SMS power distribution monitoring product, Honeywell’s Tuxedo Touch automation controllers and Midas gas detectors, and Chiyu Technology fingerprint access controllers.

*Updated with statement from ICONICS

Related: Learn More at the ICS Cyber Security Conference

Related: Hackers Can Remotely Unlock Doors via Flaw in HID Controllers

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.