OTPulse
FeedAboutContact

Network Vision IntraVue Code Injection Vulnerability

Low RiskICS-CERT ICSA-15-057-01Nov 29, 2015
Summary

Network Vision IntraVue for Windows versions prior to 2.3.0a14 contain a code injection vulnerability (CWE-78) that allows remote code execution. The vulnerability exists in input handling and could allow an attacker to execute arbitrary commands on the application. No patch is currently available from the vendor.

What this means
What could happen
An attacker could inject and execute arbitrary commands on the IntraVue application, potentially compromising the integrity of network monitoring and visualization data that operators rely on for situational awareness.
Who's at risk
Water utilities and electric utilities that use Network Vision IntraVue for SCADA/network monitoring and visualization. Operations staff and engineers who depend on IntraVue for real-time situational awareness of control system networks are affected.
How it could be exploited
An attacker with network access to IntraVue could craft malicious input (such as through a web interface parameter, configuration file, or API call) that exploits the code injection flaw (CWE-78). The injected commands would execute with the privileges of the IntraVue application process.
Prerequisites
  • Network access to the IntraVue application
  • Ability to provide malicious input to IntraVue (via web interface, API, or configuration mechanism)
code injection vulnerability (CWE-78)no patch availableaffects network monitoring and control system visibility
Exploitability
Low exploit probability (EPSS 0.8%)
Affected products (1)
ProductAffected VersionsFix Status
IntraVue (Windows): <2.3.0a14<2.3.0a14No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDImplement network access controls (firewall rules) to restrict access to IntraVue to authorized engineering workstations only
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact Network Vision (vendor) to request a patch or timeline for a security update
Mitigations - no patch available
0/2
IntraVue (Windows): <2.3.0a14 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIsolate or air-gap IntraVue systems from untrusted networks until a vendor fix is available
HARDENINGMonitor IntraVue access logs and process execution for signs of command injection attempts
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/e9ab713a-0edd-4e0b-bd70-24f8cf4e316d