ICS Summary for Week of October 20, 2017

By Kimberly Matsumoto on October 20, 2017

SpiderControl MicroBrowser Found Vulnerable

SpiderControl Logo

ICS-CERT has released an advisory for SpiderControl’s Microbrowser system.  Security researcher, Karn Ganeshen, reported a vulnerability in the Swiss-based company’s touch panel operating system that, if exploited, would allow an attacker to execute arbitrary code on the system (ICS-CERT, 2017).  SpiderControl creates products for programmable logic controllers (PLC), supervisory control and data acquisition devices (SCADA), and human machine interface systems (HMI), and these systems are used in different sectors.  The Microbrowser is a viewer for HMI’s designedwith CoDeSys or SpiderControl Editor.  It is deployed on a variety of PLCs and is used primarily in the Critical Manufacturing sector in Europe.

SpiderControl interface
SpiderControl Microbrowser Display

The vulnerability found is that of an uncontrolled search path element (CWE-427).  This means that “the product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.” (Mitre, 2017).  In this instance, if the attacker placed a specifically crafted dynamic-link library (DLL) file in the search path prior to a valid DLL, then they could then execute code on the system.

As of now, there are no known public exploits that are specifically targeting this vulnerability.  An attacker with low skill could exploit this vulnerability, however, and it has remote capabilities which means it poses a definite threat to a system’s security.  SpiderControl has released a software update for the MicroBrowser, Version, addressing the vulnerability.  Users are urged to update to the new version as soon as possible.

Vulnerable Devices:

  • SpiderControl Microbrowser Windows XP, Vista, 7, 8, 10 – Versions and prior

Patches and Updates:

Sources: ICSA-17-292-01 (ICS-CERT), CWE-427: Uncontrolled Search Path Element (Mitre)