US-CERT Warns of Serious Hole In ActiveX Control From Iconics

Trailrunner7 writes "The US's Computer Emergency Response Team (CERT) issued a warning (PDF) to critical infrastructure firms on Wednesday about a serious security hole in products from Massachusetts firm Iconics that could leave critical systems vulnerable to remote attacks. US companies in the electricity, oil and gas, manufacturing and water treatment sectors have been warned about a flaw in an ActiveX control used in two products by Iconics. The software, Genesis32 and BizViz, are Human-Machine Interface (HMI) products that provide a graphical user interface to various types of industrial control systems. The software can control industrial systems used for a variety of purposes including manufacturing, building automation, oil and gas, water and waste water treatment, among other applications."

Really?

[rcuhljr]

Security wholes in active-x, whodathunkit.

Re:Really?

[perpenso]

Security wholes in active-x, whodathunkit.

Perhaps I am mistaken but I think the newsworthiness of this story is not that ActiveX has issues, rather it is that there are a bunch of people out there who decided to use ActiveX to provide remote graphical interfaces to industrial controls. ;-)

Re:Really?

[cyber-vandal]

I read that and immediately thought what fucking idiots would use ActiveX for anything so fucking important. And then I thought fucking hell a bit more.

Re:Really?

[Platinumrat]

This is not a suprise to anyone who works in the SCADA industry. For example one leading firm the catch phrase used by the CEO used to be "from Factory Floor to the Boardroom". That phrase pretty much drove the thrust of all development. Nay-sayers were replaced by yes-men where necessary.

Re:

[perpenso]

This is not a suprise to anyone who works in the SCADA industry. For example one leading firm the catch phrase used by the CEO used to be "from Factory Floor to the Boardroom". That phrase pretty much drove the thrust of all development. Nay-sayers were replaced by yes-men where necessary.

Perhaps I am being overly generous but in some contexts connecting the factory floor to the boardroom is not inherently wrong. Letting the CEO and other execs have a little dashboard type app displaying real time info of what is happening might be OK, note that this is strictly a *read only* application. Its only when the ability to write goes remote that things may have taken a terrible turn.

For example lets say a company has 5 big expensive machines that should be running all the time. It might be OK f

Re:

[ArsenneLupin]

No matter what the case is they should NEVER have used ActiveX.

Yeah, and fuck-you-shima should never have been built where a tsunami could flood it. We are ruled by stupid people, and eventually this will produce a catastrophe big enough to annihilate all of humanity.

Re:

[Platinumrat]

I don't think I phrased my original comment correctly. The CEO in question was in charge of a an internation engineering company that developed SCADA systems. The company also sold the sensors, control system components and engineering design. The catch phrase was the one used to market the products and systems.

Re:

[ozmanjusri]

I read that and immediately thought what fucking idiots would use Windows for anything so fucking important.

FTFY.

Re:

[cyber-vandal]

Good point well made. First FTFY that hasn't made me homicidal, well done ;-)

Re:

[RoverDaddy]

There's a whole 15 year-old standards effort dedicated to this purpose: http://en.wikipedia.org/wiki/OLE_for_process_control [wikipedia.org]

Re:

[perpenso]

There's a whole 15 year-old standards effort dedicated to this purpose: http://en.wikipedia.org/wiki/OLE_for_process_control [wikipedia.org]

I'm not sure that is a fair assessment. OLE is not really a web based technology, its a windows API based technology. It allowed applications to share data and capabilities, apps running on the same machine or apps running on the same private network. It seems the sort of thing a Windows developer would use for the computer sitting next to the industrial machinery, say an operator's console for a computer controlled milling machine. Even extending this idea to web based solutions is not inherently wrong, fo

Re:

[RoverDaddy]

I wasn't responding to any comment about web-based technology. The parent comment referred to: "people out there who decided to use ActiveX to provide remote graphical interfaces to industrial controls". I was involved near the start of OPC. This is exactly one of the use cases it was designed to support. Direct connection on the plant floor with Active-X based GUI displays talking to COM-based servers talking to the hardware, and remote connection between displays and those same servers via DCOM. By "

Re:

[perpenso]

By "remote" I basically mean LAN based.

OK, by "remote" I was referring to something that left the internal networks and has touched public networks. At a previous employer we didn't refer to on-site consoles as "remote". "Remote" was only used when the vendor or one of our tech support people were trying to connect from off-site.

Re:Really?

[ediron2]

... and by 1997, I was using OLE, active-X and IE3 (or was it IE4) on Win NT servers and Win95/98 workstations to create a web interface for serial-attached laboratory equipment: GC's, scales, sensors, automated sample feeds, etc. That was just one component of a rather exhaustive collection of active-x-based webpages that handled a big corporation's little high-tech subsidiary's materials tracking, accounting, contract data, quality monitoring and god knows how many other things.

I was never a fan or an expert, but I thought active-X was entirely a pretty container designed around OLE functionality. It *was* guaranteed that monitoring and controlling these systems was possible from any browser that could reach the web server.

Ironically, users needed so many activex controls registered with their desktop OS that it was as un-WORA as web code could be. That would have kept any outsider from causing trouble. That, and a near-airgap of a corporate firewall mentality (forget web access... just 3% of users had external email access).

(Ah, the things we sometimes have to do for a paycheck)

Re:

[pitterpatter]

Are you telling me that while I, as a production employee, am, oh, I don't know, changing cutting heads on my milling machine or maybe unjamming a conveyor belt, some idiot of a manager can see a red icon on his desktop display, decide he needs to turn that machine back to green, and succeed? Without even coming out on the floor where I can throw a wrench at him? That's a serious flaw.

ActiveX ? I heard you were dead.

[Thud457]

Isn't this something you'd have to be using IE to catch?

Re:

[OzPeter]

Isn't this something you'd have to be using IE to catch?

Nope .. a lot of HMI software that runs on windows allows you to embed ActiveX controls. These systems don't runin IE, but do utilise ActiveX technology. The Genesis32 mentioned in TFA seems to be that sort of product (not that I have used it)

Re:ActiveX ? I heard you were dead.

[Red Flayer]

Hell, I used to embed Active-X controls in Excel docs, mixed up with a good bit of VB. My way of paying back that employer for sub-par wages ;)

Re:ActiveX ? I heard you were dead.

[ColdWetDog]

Hell, I used to embed Active-X controls in Excel docs, mixed up with a good bit of VB. My way of paying back that employer for sub-par wages ;)

Hell, Active-X alone would be a reasonable payback for lousy wages. I'd only use VB if they kicked my dog. You're a hard, cruel and nasty man.

Re:

[perpenso]

Hell, I used to embed Active-X controls in Excel docs, mixed up with a good bit of VB. My way of paying back that employer for sub-par wages ;)

If you were to take a survey of folks around here the recommended reaction to someone using a lot of VB and ActiveX would probably not be "give that person a raise". What is the "cause" and what is the "effect" is not clear. ;-)

Re:

[DrXym]

Isn't this something you'd have to be using IE to catch?

Yes in this case however there is nothing inherently safe about NPAPI plugins. People scream and shout about ActiveX but the reality is if you allow a website to run any 3rd party native executable that you are putting yourself at additional risk. Plugins of all shades can be fed duff data, plugins have scriptable interfaces which may not be checking their values correctly and so on.

More important than the technology (ActiveX or NPAPI) is how the browser protects you from damage, first by limiting what pl

This brings up the question

[Attila Dimedici]

Why are computer systems that control critical infrastructure accessible from the Internet? And even if it has access to the Internet, why is someone using it to go to web pages that are not on the company Intranet?

Re:This brings up the question

[rsborg]

Why are computer systems that control critical infrastructure accessible from the Internet? And even if it has access to the Internet, why is someone using it to go to web pages that are not on the company Intranet?

These systems don't have to be on the "internet" in order to be vulnerable. These activex controls are likely deployed internally, probably with adequate security. But networks are porous, and as Stuxnet proved, complex malware can be executed to effect. The issue is that security isn't treated as a process but as a response or feature. Good security takes into account all possible vectors (humans being the biggest).

Re:

[nurb432]

Why are they running windows in the first place and not a more appropriate embedded OS?

Re:

[OzPeter]

Why are they running windows in the first place and not a more appropriate embedded OS?

Because the market has said they wanted Windows based products. All of the stuff I am currently working on is targetted at Server 2003 platforms, with thin client viewers, but potentially with XP based terminals (Win 7 is slowly creeping in).

Can you suggest an embedded platform that handles server class functionality and performance? If so, feel free to develop your market segment.

Re:

[Noughmad]

Why are they running windows in the first place and not a more appropriate embedded OS?

Because the PHB has said they wanted Windows based products.

FTFY

Re:

[OzPeter]

Why are they running windows in the first place and not a more appropriate embedded OS?

Because the PHB has said they wanted Windows based products.

FTFY

And your version is different from mine, how?

Re:

[tlhIngan]

Why are they running windows in the first place and not a more appropriate embedded OS?

The actual controllers aren't. It's the management interface that is, and it's not unusual, especially when things like OPC (OLE for Process Control, yes, OLE, the daddy of COM and ActiveX) exist, so management of industrial process equipment from Windows has a very long history dating to Windows 3.x.

And back before things were networked heavily, it was OK so security was lax. These days though, even if you had separated

Re:

[nurb432]

Not on my watch he wouldn't, at least not directly. He would be given a data dump that *I* safely gathered for him. The 2 networks would never cross paths.

Control systems would never see the light of day, so to speak.

Re:

[OzPeter]

Not on my watch he wouldn't, at least not directly. He would be given a data dump that *I* safely gathered for him. The 2 networks would never cross paths.

Control systems would never see the light of day, so to speak.

And the first time you missed delivering production data to some manager at 3AM because you weren't around to manually process the data "safely", you'd be called to the carpet in front of your manager and asked to explain why you were wasting company resources and what you planned to do about it.

Re:

[OzPeter]

When he says "I safely gathered" I presume him to actually mean:

Yet his whole system is predicated on the two networks not meeting. From which I took him to mean an air gap

Re:

[tehcyder]

You're missing the point entirely. If you have the data update itself at a pre-scheduled time, a manager will want the data an hour after that time, and he won't necessarily want to wait another 7 hours for it. What he wants is to be able to click on a uton on his spreadsheet and get the real time data, and to achieve this with your system, you'd need people on hand 24 hours a day to supply it manually.

Who said these systems are on the WWW?

[mmell]

The advisory says that this ActiveX-based software is vulnerable. It doesn't say it's on internet-facing httpd servers.

Re:

[Attila Dimedici]

The advisory says "Attackers could use JavaScript hosted on an attack Web page ..." That certainly implies that the vector for attack would be if someone went to an outside web page.

Re:

[cnettel]

But it would also be if someone sent some other semi-safe file (a Word document, for example), where the control was embedded. And, depending on security zone settings (scripting is disabled for local files by default in IE these days), a HTML file on some physical medium would suffice as well.

Re:

[Bacon Bits]

Why are computer systems that control critical infrastructure accessible from the Internet? And even if it has access to the Internet, why is someone using it to go to web pages that are not on the company Intranet?

Because they're installed an configured by electronics engineers and computer programmers, not sysadmins. They bitch and moan and piss and whine and call one VP after another until the sysadmins say, "Fine, it's on the network and has unfiltered access to the Internet and automatically logs in to an Admin account. We're not fixing it when it breaks so you're getting the call at 3am when the custodian accidentally unplugs it for the 30th time. It's not backed up unless you do it (and we know you won't).

Re:

[Attila Dimedici]

Hey, I've given that speech...Ok, not that exact speech, but one very similar.

Re:

[cyber-vandal]

You do know that web browsers can be used on networks other than the internet don't you?

Controls are a different Beast...

[Rogue974]

I am a Controls Engineer and work with HMI interfaces everyday.

We keep seeing more and more things like this in the controls world. Every few months, we hear, this HMI or this controls software has these vulnerabilities and can be owned this way or that. Properly designed controls systems do not touch the internet or extend beyond the controls world.

Place I work at, we have completely separate hardware then IT. Our own switches, our own computers, etc. We keep everything separate specifically to guard against someone hacking into our system and taking it over. Someone can't sit across the world and hack into our system because it doesn't connect. They would have to penetrate our security perimeter first in order to gain access to our controls system. If they do that, then it doesn't really matter which HMI software we are using, we are owned anyway.

It does scare me when I think about some of the other plants and industries make connections to the intranet for reasons from their controls system and trust that their securities will hold.

Re:Controls are a different Beast...

[anchovy_chekov]

You're a very lucky engineer. Back when I was involved in process control - happy days I'm trying to get back to with http://xpca.org/ [xpca.org] - so many engineering depts. were under budgetary and business-political pressure to merge their networks with the corporate network and hand over control of the their systems to the better-budgeted (and more politically savvy) IT departments.

It was madness! Can't control your machinery? Oh, maybe that's because everyone's streaming the Royal Wedding. Too bad.

I think I've told this story here before but the funniest experience was finding a set of cables hidden along an I-beam, asking about it and then getting grabbed by an engineer and told "Ssh! That's *our* network"

Seriously, the industry needs an overhaul. We need to get away from the whole OPC / DCOM / ActiveX craziness before some real disaster happens.

Re:

[Rogue974]

You are right about me being lucky. When we laid out network several years back, we had the luxury of being allowed to do it the way we needed it. We were given the budget and were not told to merge it with ITs network. We ran our own cables, put in our own hardware and got it all set up.

The funny thing about the finances of it, our insurance company does and audit of the site every year. Every year they ask us 2 questions, one of which is if we still have the air gap between the controls network and th

Re:

[Pharmboy]

Read his words foo, there is air between his intranet and the internet.

"They would have to penetrate our security perimeter first in order to gain access to our controls system." ...means, they would have to physically walk into their building, getting passed their security perimeter. Those words have a meaning besides the internet, and even predates the internet. Unless the hacker can gain PHYSICAL access to one of the systems inside the building, it isn't going to get hacked.

Re:

[Rogue974]

We have an air gap. When I say penetrate our perimeter security, I meant actual physical perimeter security, i.e. barbed wire fence, etc and gain physical access to our equipment.

Re:

[VortexCortex]

I am a Controls Engineer and work with HMI interfaces everyday.

We keep seeing more and more things like this in the controls world. Every few months, we hear, this HMI or this controls software has these vulnerabilities and can be owned this way or that. Properly designed controls systems do not touch the internet or extend beyond the controls world.

Place I work at, we have completely separate hardware then IT. Our own switches, our own computers, etc. We keep everything separate specifically to guard against someone hacking into our system and taking it over. Someone can't sit across the world and hack into our system because it doesn't connect. They would have to penetrate our security perimeter first in order to gain access to our controls system. If they do that, then it doesn't really matter which HMI software we are using, we are owned anyway.

It does scare me when I think about some of the other plants and industries make connections to the intranet for reasons from their controls system and trust that their securities will hold.

::sigh:: Stuxnet. Delivered by USB. ANY data allowed in, discs, e-mail, etc, is a liability. You've got an intranet with all your own switches, etc. The air gap get's breached via sneaker net once, and you're toast. There is no such thing as fool-proof.

Re:

[Rogue974]

Yup, like I said, "They would have to penetrate our security perimeter first in order to gain access to our controls system. If they do that, then it doesn't really matter which HMI software we are using, we are owned anyway."

You can not make something 100% full proof because if they can gain physical access they always win. You can get close though by making physical access be the only way they can get access. Best way to protect and then it also helps with these, they found an exploitable bug scenarios.

Re:

[Rogue974]

Responding to an AC, but oh well.

As I posted, if the attacker has physical access, we have lost. It doesn't matter what HMI software you use, if an outsider can gain physical access to your system, the battle has already been lost.

The point about the benefit of solving problems from home at 2:00 am. We have made the decision that we will just make the drive in because we do not want to risk the lives of the people on site. If we have a physical connection we can use, then someone else can possibly break

Re:

[Rogue974]

You are right about IT and Controls having different skill sets and quite often not getting what should be done when ti comes to controls. At our plant, IT and controls are completely separate. We have enough IT expertise to set up and maintain our system in the control group. The controls group has set the policies that are in place regarding the controls system and we set it that we will make the drive in to do support from inside the perimeter rather then open ourself up to the risk.

It is a constant

Re:

[lennier]

Every few months, we hear, this HMI or this controls software has these vulnerabilities and can be owned this way or that. Properly designed controls systems do not touch the internet or extend beyond the controls world.

Restarted as a syllogism:

1. Properly designed HMI control systems are perfectly safe, since the manufacturers make sure they don't touch the Internet.
2. HMI control systems manufacturers appear incapable of proper design, since they release vulnerable code every month.
3. ... Prepare for unforeseen consequences.

WTF?Embedded RealTimeControlSystems, Determinism..

[aaronpeacock]

For the love of God, WHY THE HELL would you EVER EVER EVER EVER EVER EVER consider using ANY product even REMOTELY related to Windows for Industrial Control Systems?????? THIS is not some anti-microsoft rant mind you- its simply that Industrial Control Systems DO NOT USE consumer operating systems but rather HARD REAL TIME OPERATING SYSTEMS. If you do not know what the word "Deterministic" means in relation to Embedded Computing, you should go look it up first. There is a process known as Verification where

Re:

[obarthelemy]

Sorry, offtopic:

Has anyone ever told you that the way you try and make your points actually kinda weakens them ? Your post has some interesting content, but the way it is written angers, distracts, even takes away quite a chunk of your credibility.

Re:

[theshowmecanuck]

Because it is easier to control your system with a GUI than a command line. A picture is worth a thousand words, especially if you are monitoring various components across a large system. Nothing says the control systems themselves aren't running on specialized OS's, but what is wrong with exposing hooks for a GUI to control it with (and now-a-days you WILL need a GUI in a control room somewhere for most applications)? At least with Windows you know the risks and can at least mitigate if not eliminate them.

Re:WTF?Embedded RealTimeControlSystems, Determinis

[Locutus]

the last year Chief Systems Engineers were included in top level management meeting and relied on to direct the technical direction of products was around 1994. About that time, management was getting comfortable with Microsoft Windows and the semi technical ones or those managing technical staffs were getting gobs of literature all about how Microsoft Windows and Microsoft software could fly them to the moon and back before lunch was over. They were playing with Visual Basic and became expert programmers in their own minds. That is when management started dictating what tools would be used on products and when pressed would tell you that nobody gets fired for choosing Microsoft.

FYI, there was a UNIX based comm system up at LAX which got replaced by a Windows 9x box. When they found out the OS would repeatably crash after 49 days or something like that they solved the problem with a reboot _every_ 30 days. A new guy came onboard, thought hey, things are running fine so why reboot it. CRASH and for about 6 hours LAX has not ground to air nor air to ground communications. Many close calls but no crashes. But the 3fing idiots used a Windows box, Windows 9x even, for a mission critical system. I quit a military contract position when word came down from Command that all UNIX systems would be replaced with Windows. The way I see it, there are idiots making technical choices all around us and until Microsoft fades away, that's not going to change.

I miss the days when the Chief Systems Engineer ran the show and was usually the brightest person in the company and everyone knew it.

LoB

Re:

[Platinumrat]

I'm sorry to wake you up from your little dream world. But the largest supplier of SCADA control software is all Windows based. Plus no-adays, software developers, and more especially the managers leading them, have no clue what Deterministic or Hard Real Time mean.

I've seen supposed Control System development companies throw out the systems based on Commercial RTOSs and with a proven track record, basically because they don't support the latest and greatest Fads (like REST, XML, HTTP, SVG). The manage

Re:

[MightyYar]

For the love of God, WHY THE HELL would you EVER EVER EVER EVER EVER EVER consider using ANY product even REMOTELY related to Windows for Industrial Control Systems??????

In our case, two reasons:
1. USB sticks. These things are a serious nightmare. Customer requirements are to be able to load programs via USB, and yet some USB sticks give trouble to some non-Windows systems. Our pre-Windows solution was to provide a list of known-working USB sticks. This was a nightmare, since the available sticks part numbers seemed to change from week to week. We stocked sticks and even gave out working ones, but it took an amazing amount of effort. Virtually every stick on the market has

Re:

[Alex Belits]

1. USB sticks. These things are a serious nightmare.

Not true for at least half a decade.

2. Machine vision libraries. Our vendor is awesome and was willing to port their libraries to anything we wanted. However, the warning was that we would be the only users (or one of only a handful) on a non-Windows system. We were not willing to take that risk.

If you use off-the-shelf, general-purpose yet proprietary single-vendor machine vision library for industrial control, you are doing it seriously wrong.

Re:

[MightyYar]

Not true for at least half a decade.

Amazing, because that's about exactly when the decision was made!

If you use off-the-shelf, general-purpose yet proprietary single-vendor machine vision library for industrial control, you are doing it seriously wrong.

Why? Everything involves compromises. This vendor was particularly good at our specific application.

To be fair, if the decision was made today, it might be Linux. More people use the library with Linux now, and Linux seems to work with USB keys of all flavors. We may even go that route eventually as a unit cost reduction if hardware support can be consistently found.

Sony Mentality

[Nethemas the Great]

"Thanks for the warning now lets get back to the real issues... How are shareholder forecasts locking for next quarter?"

A little explanation please?

[Trubacca]

Is there a reason ActiveX is being used in software that controls critical infrastructures? I don't want to jump to conclusions, but that seems almost as silly as a Security Consulting firm that doesn't test their own website for security holes.

Re:

[anchovy_chekov]

History. ICONICS have been around for a long time - their ActiveX controls were originally used inside native Win32 apps. It was an easy way to get reasoably good looking HMIs built when you needed something clean looking (and UI design wasn't your strong point). Fast forward a decade and what kinda worked in native apps has been moved to the web, with nary a thought of the security implications. I wouldn't blame either IT or Engineering per se, but there clearly not been a lot of dialogue between these two

Re:

[Nethemas the Great]

... but that seems almost as silly as a Security Consulting firm that doesn't test their own website for security holes.

I thought that was standard practice...

Re:

[cnettel]

Is there a reason ActiveX is being used in software that controls critical infrastructures? I don't want to jump to conclusions, but that seems almost as silly as a Security Consulting firm that doesn't test their own website for security holes.

Yeah. That way, you can build "rich" VB apps on top of the control developed by the vendor. What good is a control system if you can only control it through one single fixed-function Windows application?

Re:

[account_deleted]

Comment removed based on user account deletion