OTPulse
FeedAboutContact

ICONICS GENESIS32/BizViz Security Configurator Authentication Bypass Vulnerability

Low RiskICS-CERT ICSA-12-212-01May 3, 2012
Summary

ICONICS Genesis32 and BizViz Security Configurator contains an authentication bypass vulnerability that allows unauthorized access to the configuration tool. The vulnerability affects versions 9.22 and earlier of both products. No vendor fix is currently available.

What this means
What could happen
An attacker with access to the Security Configurator tool could bypass authentication and gain unauthorized access to configure or modify Genesis32 and BizViz systems, potentially altering process parameters or system settings without proper authorization.
Who's at risk
This vulnerability affects organizations using ICONICS Genesis32 or BizViz software for process visualization and control. Any facility relying on these systems for manufacturing process management, energy distribution, or water/wastewater treatment operations should be concerned if their engineering workstations or servers are running the affected versions.
How it could be exploited
An attacker with network or physical access to the Security Configurator application could bypass the authentication mechanism to gain unauthorized configuration access. No specific authentication credentials would be required if the bypass is successful.
Prerequisites
  • Access to the Security Configurator tool interface
  • Network connectivity to the affected system or physical access to an engineering workstation running the Configurator
no patch availableauthentication bypassaffects system configuration toolsno authentication required for bypass
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
Genesis32: <=V9.22≤ V9.22No fix (EOL)
BizViz: <=V9.22≤ V9.22No fix (EOL)
Remediation & Mitigation
0/3
Do now
0/2
HARDENINGImplement strict network access controls to limit who can reach the Security Configurator tool, such as firewall rules restricting access to authorized engineering workstations only
HARDENINGImplement physical security controls to restrict access to workstations running the Security Configurator tool
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor and log all attempts to access or use the Security Configurator tool
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/785e4bc2-05b1-4832-84bf-4630ddc9fbcf