OTPulse
FeedAboutContact

RealFlex RealWinDemo DLL Hijack

Low RiskICS-CERT ICSA-12-251-01Jun 11, 2012
Summary

RealWinDemo, RealWin, and FlexView are vulnerable to DLL hijacking (CWE-427). An attacker with local write access to the application installation directory can place a malicious DLL file that will be loaded by the application during startup, potentially leading to arbitrary code execution on the affected system. All versions up to and including 2.1.12 (RealWinDemo, RealWin) and 3.1.85 (FlexView) are affected. No vendor patches are planned.

What this means
What could happen
An attacker with local access to a system running these products could load malicious code by placing a crafted DLL file in the application directory, potentially allowing unauthorized control of the industrial process or system functions.
Who's at risk
Water utilities, electric utilities, and other industrial operators using RealFlex products for SCADA visualization and control. This affects RealWinDemo (development/demo systems), RealWin (human-machine interface), and FlexView (data visualization) software—primarily impacting engineering workstations and control system display stations.
How it could be exploited
An attacker with write access to the file system where RealWinDemo, RealWin, or FlexView is installed could place a malicious DLL in the application directory. When the application starts and loads dependent libraries, it may load the attacker's DLL instead of the legitimate one, executing arbitrary code with the privileges of the running application.
Prerequisites
  • Write access to the application installation directory on the target system
  • Local access to the system running RealWinDemo, RealWin, or FlexView
  • Application must be restarted to trigger DLL loading
no patch availablelocal access requiredend-of-life products
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (3)
3 EOL
ProductAffected VersionsFix Status
RealWinDemo: <=2.1.12≤ 2.1.12No fix (EOL)
RealWin: <=2.1.12≤ 2.1.12No fix (EOL)
FlexView: <=3.1.85≤ 3.1.85No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1
HARDENINGImplement strict file system permissions on application directories to prevent unauthorized write access
Mitigations - no patch available
0/3
The following products have reached End of Life with no planned fix: RealWinDemo: <=2.1.12, RealWin: <=2.1.12, FlexView: <=3.1.85. Apply the following compensating controls:
HARDENINGMonitor application directories for unauthorized or unexpected file additions
HARDENINGRestrict local access to systems running these products through physical and network controls
HARDENINGConsider transitioning to alternative products with active vendor support, as no patches are planned for these end-of-life applications
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/0e49a70f-9dd9-4268-9685-f1b278591f3f
RealFlex RealWinDemo DLL Hijack - OTPulse