ICONICS SCADA Vulnerabilities: What Houston Energy, Utility & Manufacturing Businesses Need to Know

Introduction

In the realm of industrial control systems, SCADA (Supervisory Control and Data Acquisition) software forms the backbone of critical infrastructure operations across various sectors. Recently, security researchers uncovered several high-severity vulnerabilities in ICONICS SCADA systems, potentially exposing hundreds of thousands of installations worldwide to significant security risks. This blog post examines these vulnerabilities, their implications, and the steps organizations should take to protect their systems.

 Who Identified the Vulnerabilities?

Security researchers from Palo Alto Networks’ Unit 42 identified five high-severity vulnerabilities affecting Iconics and Mitsubishi Electric SCADA products in early 2024. The discovery was made during a security assessment of the ICONICS Suite and specifically affected versions 10.97.2 and 10.97.3 for Microsoft Windows, though earlier versions may also be vulnerable.

 The Vulnerable Products

The vulnerabilities impact several widely-deployed products:

• ICONICS GENESIS64
• Mitsubishi Electric GENESIS64
• Mitsubishi Electric MC Works64

These products are used in hundreds of thousands of installations across more than 100 countries and are particularly prevalent in critical infrastructure sectors including:

• Government
• Military
• Manufacturing
• Water and wastewater
• Utilities and energy

 The Vulnerabilities in Detail

The five high-severity vulnerabilities discovered all received CVSS scores between 7.0 and 7.8, placing them in the “high” severity category. While all require authentication for exploitation, they could allow attackers with initial access to execute code, elevate privileges, and manipulate critical files.

1. DLL Hijacking (CVE-2024-1182) – A vulnerability in Memory Master Configuration (MMCFG) that could lead to privilege escalation. The issue stems from an outdated SMS SDK (Derdack’s Message Master) that has been deprecated for approximately 15 years but remains integrated into the ICONICS Suite AlarmWorX MMX module.
2. Incorrect Default Permissions (CVE-2024-7587) – Found in GenBroker32, this vulnerability allows authenticated attackers to disclose or tamper with confidential information and potentially cause denial-of-service conditions. The vulnerability occurs when GenBroker32 is installed alongside GENESIS64, resulting in overly permissive settings that grant system-wide user access to critical directories.
3. Uncontrolled Search Path Element (CVE-2024-8299) – This vulnerability affects all versions of the ICONICS and Mitsubishi products, allowing a local authenticated attacker to execute malicious code by storing specially crafted DLLs in application folders.
4. Dead Code (CVE-2024-8300) – Present in versions 10.97.2 and 10.97.3, this vulnerability allows an authenticated attacker to execute malicious code by tampering with specially crafted DLLs.
5. Uncontrolled Search Path Element (CVE-2024-9852) – Similar to CVE-2024-8299, this vulnerability affects all versions of the products and enables a local authenticated attacker to execute malicious code and elevate privileges by placing specially crafted DLLs in specific folders.

 The Impact

On unpatched installations without mitigations, these vulnerabilities could lead to:

• DLL Hijacking: Attackers could substitute legitimate ICONICS DLL files with malicious ones, potentially leading to arbitrary code execution, system integrity compromise, and persistent attacker access.
• Privilege Escalation: Attackers could gain unauthorized access to restricted resources, execute malicious actions, or cause denial-of-service conditions.
• File Manipulation: Attackers could modify configuration settings or replace legitimate binaries with malicious ones, potentially resulting in unauthorized access, data manipulation, abuse of trust relationships, or even full system compromise.

Collectively, these vulnerabilities pose significant risks to the confidentiality, integrity, and availability of affected systems.

 Mitigation Strategies

ICONICS has worked with Palo Alto Networks to address these vulnerabilities. Here are the recommended mitigation strategies:

1. Apply Security Patches: ICONICS has released security patches to address these vulnerabilities. Organizations should update to the latest versions of the affected products.
2. Implement Workarounds: For systems that cannot be immediately patched, ICONICS has published advisories with recommended workarounds.
3. Review GenBroker Usage: Be cautious when installing GenBroker components. The vulnerable GenBroker32 utility should not be installed on top of GENESIS64.
4. Monitor for Suspicious Activity: Implement robust monitoring to detect potential exploitation attempts.
5. Limit Network Exposure: According to telemetry from public internet scans, several dozen ICONICS servers are accessible from the internet. Organizations should ensure these systems are properly secured behind firewalls and not directly accessible from the public internet.

 How CinchOps Can Assist

Protecting critical infrastructure requires expertise and vigilance. CinchOps can help your organization address these ICONICS SCADA vulnerabilities through:

1. Vulnerability Assessment: Our experts can scan your systems to identify vulnerable ICONICS installations and provide a comprehensive report of security gaps.
2. Patch Management: We can assist in developing and implementing a structured approach to applying security patches while minimizing operational disruption.
3. Network Security Hardening: Our team can help isolate critical SCADA systems from external networks and implement proper segmentation to reduce the attack surface.
4. Security Monitoring: We offer 24/7 monitoring services to detect and respond to potential exploitation attempts targeting your industrial control systems.
5. Incident Response Planning: We can help develop tailored incident response procedures specifically for industrial control system environments.
6. OT/IT Security Integration: Our specialists bridge the gap between operational technology and information technology security practices to ensure comprehensive protection.

In today’s increasingly connected industrial environments, protecting SCADA systems requires specialized knowledge and proactive security measures. CinchOps is committed to helping organizations navigate these challenges and maintain the security and reliability of their critical infrastructure.

Discover more about our enterprise-grade and business protecting cybersecurity services on our Cybersecurity page.

Contact us today to learn how we can help secure your ICONICS SCADA systems against these and other vulnerabilities.

FREE SECURITY ASSESSMENT