Measuresoft ScadaPro DLL Hijack
Low RiskICS-CERT ICSA-12-145-01Feb 25, 2012
Summary
Measuresoft ScadaPro Client and Server are vulnerable to DLL hijacking attacks. An attacker with local file system access can place a malicious DLL in a directory where ScadaPro searches for libraries. When the application loads, it will import and execute the malicious DLL with the application's privileges, potentially allowing unauthorized system access or modification of SCADA operations.
What this means
What could happen
An attacker with local system access could inject malicious code into ScadaPro applications through DLL hijacking, potentially gaining the ability to execute commands with the privileges of the ScadaPro process. This could allow unauthorized changes to SCADA parameters or system configurations.
Who's at risk
Energy sector operators running Measuresoft ScadaPro for supervisory control and data acquisition systems. This affects both the ScadaPro Client (all versions prior to 4.0.0) and ScadaPro Server (prior to version 4.0.0), which are commonly deployed in power generation, distribution, and monitoring infrastructure.
How it could be exploited
An attacker must place a malicious DLL in a directory where ScadaPro Client or Server searches for libraries (typically the application directory or system path). When ScadaPro loads the application, it imports the malicious DLL instead of the legitimate one, executing the attacker's code with the application's privileges.
Prerequisites
- Local file system write access to ScadaPro application directory or a directory in the DLL search path
- Ability to place a crafted DLL file before ScadaPro application startup
- ScadaPro Client or Server version earlier than 4.0.0
no patch available for ScadaPro Clientlocal privilege escalation riskaffects SCADA systems in energy sectorrequires local system access
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
ScadaPro Server: <4.0.0<4.0.04.0.0
ScadaPro Client: <4.0.0<4.0.04.0.0
Remediation & Mitigation
0/4
Do now
0/2HARDENINGImplement strict file system permissions on ScadaPro application directories to prevent unauthorized modification or placement of files
HARDENINGMonitor and restrict write access to system directories and the ScadaPro application folder
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpgrade ScadaPro Server to version 4.0.0 or later
Long-term hardening
0/1HARDENINGReview and audit DLL files in ScadaPro directories for unexpected or unsigned executables
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/b5051ef6-ea01-41ad-a015-aa4af63da1eb