ICONICS GENESIS32 and BizViz ActiveX Trusted Zone Vulnerability

Low RiskICS-CERT ICSA-11-182-01Apr 3, 2011

Summary

GENESIS32 and BizViz versions 9.21 contain a vulnerability in how they register ActiveX controls in Internet Explorer's Trusted Zone. An attacker can host malicious ActiveX controls on a website and execute arbitrary code on an engineering workstation if a user with GENESIS32 installed visits that site. This is a client-side attack that bypasses normal ActiveX security prompts by exploiting the Trusted Zone registration.

What this means

What could happen

An attacker who can trick an engineer into visiting a malicious website while using a vulnerable GENESIS32 workbench could run arbitrary code on that machine with the engineer's privileges, potentially altering control logic or stealing credentials for other systems in your plant network.

Who's at risk

Manufacturing facilities using ICONICS GENESIS32 or BizViz HMI/SCADA workstations for real-time process monitoring and control. Engineering and operations staff who access these systems from workstations connected to the plant network are at risk if they browse the internet on those same machines.

How it could be exploited

An attacker hosts a malicious website or sends a phishing link to an engineer. When the engineer visits the site in Internet Explorer on a machine with vulnerable GENESIS32 installed, the browser's Trusted Zone policy allows embedded ActiveX controls from the page to run without prompt. The malicious ActiveX control executes arbitrary commands on the workbench machine.

Prerequisites

Engineer visits attacker-controlled or compromised website from a machine with GENESIS32 or BizViz installed
Internet Explorer is used as the browser
Machine must have vulnerable version 9.21 installed
ActiveX controls are enabled in Internet Explorer (default configuration)

Requires social engineering (phishing/malicious website)No patch available from vendorEngineering workstation compromise can lead to process manipulationDefault browser configuration allows exploitation

Exploitability

Moderate exploit probability (EPSS 1.4%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

GENESIS32 including Workbench / WebHMI components: 9.219.21No fix (EOL)

BizViz: 9.219.21No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDDo not visit untrusted or unfamiliar websites from engineering workstations running GENESIS32 or BizViz

HARDENINGDisable ActiveX in Internet Explorer on engineering workstations, or restrict ActiveX to signed controls only

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HARDENINGUse a separate, isolated browser on engineering workstations for internet access unrelated to plant operations

HARDENINGApply the principle of least privilege: run GENESIS32 Workbench with standard user (not administrator) credentials when possible

HARDENINGMonitor for and block access to known malicious sites using firewall or DNS filtering

CVEs (1)

CVE-2011-5088

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3408409d-5f25-49c7-a736-6c30a65a1c7b