A recent security assessment by Palo Alto Networks’ Unit 42 has uncovered multiple vulnerabilities in the ICONICS Suite, a widely used Supervisory Control and Data Acquisition (SCADA) system.
These vulnerabilities, identified in versions 10.97.2 and earlier for Microsoft Windows, pose significant risks to critical infrastructure sectors such as government, military, manufacturing, water and wastewater, and utilities & energy.
The vulnerabilities include DLL hijacking, incorrect default permissions, uncontrolled search path elements, and dead code issues, which can lead to denial-of-service (DoS) conditions, privilege escalation, and even full system compromise.
Impact of Vulnerabilities
The identified vulnerabilities allow attackers to exploit weaknesses in the ICONICS Suite, particularly through DLL hijacking and incorrect default permissions.
For instance, the DLL hijacking vulnerability (CVE-2024-1182) in the Memory Master Configuration (MMCFG) can lead to elevation of privileges.
This occurs when an attacker places a malicious DLL in a directory where the system will load it, enabling arbitrary code execution and system integrity compromise.
Additionally, the incorrect default permissions vulnerability (CVE-2024-7587) in GenBroker32 allows authenticated attackers to disclose or tamper with confidential information, causing a DoS condition.
This vulnerability arises when overly permissive settings grant system-wide user access to critical directories.
The vulnerabilities also include uncontrolled search path elements (CVE-2024-8299 and CVE-2024-9852), which enable local authenticated attackers to execute malicious code by storing specially crafted DLLs in specific folders.
These vulnerabilities can lead to privilege escalation and arbitrary code execution.
Furthermore, the dead code vulnerability (CVE-2024-8300) allows attackers to execute malicious code by tampering with specially crafted DLLs.
Mitigation and Response
To address these vulnerabilities, ICONICS released security patches and advisories in 2024.
Users are advised to update their systems to the latest versions and apply the recommended workarounds.
Palo Alto Networks’ security solutions, such as Cortex XDR and XSIAM, can detect known and novel DLL hijacking attacks, while Cortex Cloud helps identify malware using DLL hijacking techniques.
For those concerned about potential compromises, contacting the Unit 42 Incident Response team is recommended.
The exposure of several dozen ICONICS servers to the internet further underscores the urgency of implementing these security measures to protect against external threats.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
