Supervisory Control and Data Acquisition (SCADA) systems are the backbone of numerous critical infrastructure sectors globally, including government, manufacturing, energy, and water treatment facilities. The ICONICS Suite, encompassing GENESIS64TM and MC Works64, is a widely adopted SCADA solution with hundreds of thousands of installations across over 100 countries. Recent security assessments have brought to light a series of significant vulnerabilities within these products, posing considerable risks to operational technology (OT) environments. These weaknesses could allow malicious actors to perform a range of harmful activities, from causing denial-of-service (DoS) conditions to executing arbitrary code and bypassing crucial authentication mechanisms. Understanding the scope and potential impact of these vulnerabilities is paramount for organisations relying on these systems to implement effective protective measures.

A prominent category of identified threats involves DLL hijacking. Specifically, CVE-2024-1182 highlights a DLL hijacking vulnerability within the Memory Master Configuration (MMCFG) component, potentially leading to an elevation of privileges. This arises from an outdated SMS software development kit and improper DLL path specification, allowing attackers to substitute legitimate DLL files with malicious ones. Similar vulnerabilities, identified as CVE-2024-8299, CVE-2024-8300, and CVE-2024-9852, affect various versions of GENESIS64TM and MC Works64. These uncontrolled search path element and dead code vulnerabilities can be exploited through phantom DLL hijacking in processes like MelSim2ComProc.exe and MMXCall_in.exe, enabling persistence, stealth, and the abuse of trust relationships, potentially deceiving endpoint detection and response (EDR) systems.

Another critical vulnerability, CVE-2024-7587, is an incorrect default permissions vulnerability in GenBroker32, a utility included in the installers for older versions of ICONICS and Mitsubishi Electric GENESIS64 and MC Works64. Unwittingly installing GenBroker32, even alongside the newer GenBroker64, can lead to overly permissive settings on a critical directory (C:\ProgramData\ICONICS) containing key binaries and configuration files. This grants system-wide user access, allowing attackers to manipulate critical files, potentially leading to unauthorised access, data tampering, privilege escalation, and even full system compromise. The ease with which these permissions can be modified underscores the severity of this misconfiguration.

Beyond DLL hijacking and permission issues, other vulnerabilities further broaden the attack surface. CVE-2023-2650 and CVE-2023-4807 are DoS vulnerabilities affecting GENESIS64TM Version 10.97.2 when the BACnet® Secure Connect feature is enabled. These stem from issues within the integrated OpenSSL library during data validation and MAC implementation. Additionally, CVE-2024-1573 presents an authentication bypass vulnerability in the mobile monitoring feature under specific Active Directory configurations. Lastly, CVE-2024-1574 involves a malicious code execution vulnerability in the licensing feature due to unsafe reflection.

The discovery of these multiple vulnerabilities within a widely used SCADA system like ICONICS Suite highlights the persistent challenges in securing OT environments. The potential impact of these vulnerabilities is significant, ranging from data breaches and operational disruptions to complete system compromise, particularly given the critical nature of the industries relying on these systems. While ICONICS has released patches and advisories, the continued presence of unpatched systems accessible via the internet underscores the urgency for organisations to implement recommended security measures. 

Cybersplice offers solutions that can help protect against exploitation of vulnerabilities like those mentioned above. Cybersplice can provide rapid visibility of your OT network using its Splicecloud platform with zero-touch or virtual probes that offer full asset tracking and behavioural analysis. Cybersplice can also create a secure private sensor network via Splice-net, which is an encrypted overlay network that works on top of existing carrier infrastructure, offering secure, carrier-independent connectivity. Furthermore, Cybersplice provides an ICS Secure Access Edge that incorporates logical isolation, vulnerability shielding via an encrypted overlay network, passive node discovery, and secure remote access for operators and support partners.