Canada-based Trihedral Engineering Ltd. has released software updates to address a security vulnerability that can be leveraged to cause VTScada servers to crash.
VTScada (VTS) is a control and monitoring application for supervisory control and data acquisition (SCADA) systems. The product is used in industries such as chemical, energy, communications, critical manufacturing, transportation, and food and agriculture mainly in North America and Europe.
According to an advisory published on Tuesday by the Industrial Control Systems Computer Emergency Response Team (ICS-CERT), the software is plagued by a remotely exploitable integer overflow vulnerability.
“An attacker can cause VTScada to crash on an Internet server if a specifically crafted malformed network request is made to VTScada, even if that attacker does not have security credentials on the server. The malformed network request causes an integer overflow resulting in the attempted allocation of an excessively large buffer. The failure to allocate this buffer will terminate the VTScada server. The crash would not occur accidentally as a result of normal use,” ICS-CERT said.
The vulnerability, CVE-2014-9192, was discovered by an anonymous researcher who reported it through HP’s Zero Day Initiative (ZDI). The flaw affects VTScada versions 6.5 through 9.1.19, versions 10 through 10.2.21, and versions 11.0 through 11.1.07.
The vendor addressed the bug with the release of versions 11.1.09, 10.2.22 and 09.1.20. The updates are available on Trihedral’s FTP server. Exploits have not been spotted in the wild, but organizations are advised to update their installations since even a less skilled attacker can exploit the vulnerability.
ICS-CERT also advises organizations to minimize exposure for critical control systems by isolating them from the Internet and the business network, place sensitive systems behind firewalls, and use virtual private networks (VPNs) and other secure methods when remote access is required.
Vulnerabilities in SCADA products are not uncommon. In September, three security holes were uncovered in Schneider Electric solutions, and last month, Siemens fixed critical flaws that exposed SCADA systems to remote attacks.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Zyxel Firewalls Hacked by Mirai Botnet
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Drop in Insider Breaches Drives Decline in Intrusions at OT Organizations
- Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances
- OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
- New Honeywell OT Cybersecurity Solution Helps Identify Vulnerabilities, Threats
- Rheinmetall Says Military Business Not Impacted by Ransomware Attack
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
