Researchers at Palo Alto Networks have uncovered multiple vulnerabilities within a Supervisory Control and Data Acquisition (SCADA) system, specifically identifying five vulnerabilities in versions 10.97.2 and earlier for Microsoft Windows. Early last year, they conducted a comprehensive security assessment of the ICONICS Suite, a SCADA system. In collaboration with the ICONICS security team, they facilitated the release of several security patches in 2024 to address some of these vulnerabilities. Additionally, they issued timely security advisories with workarounds for the remaining issues.
“On unpatched ICONICS installations without any workarounds or remediations, these vulnerabilities could lead to escalation of privileges, DoS and in specific circumstances, even full system compromise,” Asher Davila and Malav Vyas, security researchers at Palo Alto’s Unit42 division, wrote in a recent blog post.
They noted that the attackers could perform DLL hijacking, by substituting legitimate ICONICS DLL files with malicious DLL files that have the legitimate files’ names. This could potentially lead to arbitrary code execution, system integrity compromise, and persistent attacker access. Attackers could escalate their privileges, gaining unauthorized access to restricted resources, executing malicious actions, or even causing a DoS on the affected system.
Additionally, the researchers added that the attackers could manipulate critical files, modifying configuration settings or replacing legitimate binaries with malicious ones. This could potentially result in unauthorized access, data manipulation, elevation of privileges, trust relationship abuse, or even full system compromise. In combination, these vulnerabilities pose a risk to the confidentiality, integrity, and availability of a system.
ICONICS Suite is a SCADA solution suite that has hundreds of thousands of installations in over 100 countries. The suite is commonly used in critical infrastructure sectors such as government, military, manufacturing, water and wastewater, and utilities and energy. It is used in numerous OT applications, including automation, data analysis, and industrial internet of things (IIoT)/cloud integration.
Davila and Vyas wrote that they found vulnerabilities in ICONICS Suite versions 10.97.2 and 10.97.3, and they may also exist in earlier versions. “According to our telemetry from public internet scans, several dozen ICONICS servers are accessible from the internet, making them particularly vulnerable to attackers.”
ICONICS Suite features a diverse range of servers, including the Building Automation and Control Networks (BACnet) server, which is a data protocol designed to enable communication between different electronic devices (e.g., alarms, motion sensors, air conditioning units and heaters); Open Platform Communications (OPC) servers used to facilitate communication between various software and hardware components, particularly in automation and industrial control systems; and HTTP servers that provide connectivity and remote monitoring capabilities.
The researchers further detailed that GENESIS64 is a suite of tools that helps establish connectivity with OT device protocols like BACnet and Modbus. It also facilitates communication with OPC servers. “OPC servers enable various software packages, serving as OPC clients, to retrieve data from a process control device, like a programmable logic controller (PLC) or a distributed control system. However, ICONICS requires a GenBroker communications utility to communicate with legacy implementations of OPC servers.”
Identifying that GenBroker is part of the GENESIS32 and GENESIS64 software solutions, they added that the GenBroker communications utility has a 32-bit version called GenBroker32 and a 64-bit version called GenBroker64. “GENESIS32 is currently at version 9.7 and contains the vulnerable GenBroker32 utility. For a variety of reasons, ICONICS recommends using GENESIS64 instead, and GENESIS64 uses the non-vulnerable GenBroker64 utility by default. Additionally, GenBroker32 should not be installed on top of GENESIS64.”
However, a user could inadvertently add the vulnerable GenBroker32 utility during or after installing GENESIS64. This addition triggers permission changes in a critical directory containing key binaries and configuration files for the ICONICS Suite, resulting in overly permissive settings that grant system-wide user access to this directory.
“In our security assessment, after installing version 10.97.2 of the ICONICS Suite, the configuration page offered an option to install GenBroker, even when GenBroker64 was already installed,” according to Davila and Vyas. “This option is labeled ‘GenBroker’ and actually installed the vulnerable GenBroker32 utility. This GenBroker option did not indicate that GenBroker64 was pre-installed or that it would install the 32-bit version.”
They also examined Phantom DLL hijacking, a cybersecurity attack technique where attackers exploit the way applications load DLLs. This method involves reintroducing an outdated, nonexistent, or unused legitimate DLL back into the system.
“The attacker modifies the obsolete DLL to perform malicious activities, such as Arbitrary code execution, Persistence, System integrity compromise, and Elevation of privileges,” according to the researchers. “By abusing the Windows DLL search order, an attacker can place the malicious DLL in a directory where the system will eventually look for it and load it.”
“During our security assessment, we discovered this vulnerability in the ICONICS Suite due to an outdated SMS software development kit (SDK) for Derdack’s Message Master. This outdated Message Master SMS SDK at version 2.0 was developed by Derdack but has been deprecated for approximately 15 years with no ongoing support,” Davila and Vyas detailed in their post. “While no longer maintained, the Message Master SMS SDK is still integrated into the ICONICS Suite AlarmWorX MMX module. This module is responsible for facilitating SMS and pager alerts. When those applications use Message Master SMS SDK, they are exposed to the underlying vulnerabilities present in the Message Master SMS SDK.”
The researchers also found multiple vulnerable processes generated by ICONICS GENESIS64 that could be exploited through phantom DLL hijacking, and attackers could exploit these processes for various purposes, including persistence, stealth, trust relationship abuse, and deceiving Endpoint Detection and Response (EDR) and monitoring systems.
“We have been working in collaboration with the ICONICS security team to fix these issues. ICONICS has released security patches to address these issues,” they added.
In conclusion, the Unit42 researchers wrote that “People often overlook the possibility of attackers abusing privileged file system operations, regardless of the danger they can pose to systems running these processes, especially when these vulnerabilities are found in OT environments.”
They added that the discovery of vulnerabilities within the ICONICS Suite, as identified in versions 10.97.3 and earlier for Windows platforms, highlights the importance of robust security measures. Proactive measures can help mitigate these vulnerabilities and safeguard against potential exploitation.
