7-Technologies Termis DLL Hijacking
Low RiskICS-CERT ICSA-12-025-02AOct 28, 2012
Summary
TERMIS versions 2.10 and earlier are vulnerable to DLL hijacking due to unsafe DLL search order or loading from untrusted directories. An attacker with local file system access can place a malicious DLL in a location searched by TERMIS during startup, leading to arbitrary code execution when the application is launched. The vulnerability affects all versions through V2.10 dated November 30, 2011, and no vendor patch is available.
What this means
What could happen
An attacker with local access to a workstation running TERMIS could execute arbitrary code by placing a malicious DLL file in a directory that the application searches during startup, potentially compromising engineering controls or process monitoring.
Who's at risk
Engineering and process control personnel who operate TERMIS on Windows workstations should care about this issue. TERMIS is used for monitoring and control of industrial processes; compromise could affect process visibility and command execution on connected systems.
How it could be exploited
An attacker with local write access to the workstation file system could place a malicious DLL in a directory that TERMIS searches when loading libraries (such as the application directory or a shared library path). When TERMIS starts, it loads the attacker's DLL instead of the legitimate one, executing arbitrary code with the privileges of the user running TERMIS.
Prerequisites
- Local write access to the TERMIS application directory or system directories in the DLL search path
- User account able to restart TERMIS or trigger application startup
- TERMIS installed and in use on the workstation
No authentication required for local exploitationLow complexity attackNo patch availableRequires local access (not remotely exploitable)
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (1)
ProductAffected VersionsFix Status
TERMIS: <=V2.10_dated_November_30_2011≤ V2.10 dated November 30 2011No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2HARDENINGRestrict file system write permissions on the TERMIS application directory and system library paths to authorized administrators only
HARDENINGLimit local user access to workstations running TERMIS; use role-based access control to ensure only necessary personnel can log in
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGMonitor TERMIS application directory for unexpected or modified DLL files; implement file integrity monitoring if available
Mitigations - no patch available
0/1TERMIS: <=V2.10_dated_November_30_2011 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIsolate TERMIS workstations from untrusted networks and limit physical access to prevent unauthorized local code deployment
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/85ec1b1e-becd-4ac8-82b6-0cfcd61f473f