#VU29164 Deserialization of Untrusted Data in GENESIS64 and GENESIS32 - CVE-2020-12009

Cybersecurity Help s.r.o.

Published: 2020-06-19 | Updated: 2020-07-01

Vulnerability identifier: #VU29164

Vulnerability risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-12009

CWE-ID: CWE-502

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
GENESIS64
Server applications / SCADA systems
GENESIS32
Server applications / SCADA systems

Vendor: ICONICS, Inc.

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insecure input validation when processing serialized data in GenBroker64/GenBroker32 component in Workbench Pack-and-Go function. A remote attacker can use a specially crafted PKGX files to execute arbitrary code.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

GENESIS64: 10.5

GENESIS32: 8.0 - 9.2

External links
https://ics-cert.us-cert.gov/advisories/icsa-20-170-03
https://iconics.com/Support/CERT
https://www.zerodayinitiative.com/advisories/ZDI-20-777/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in ICONICS BizViz

Multiple vulnerabilities in ICONICS MobileHMI

Multiple vulnerabilities in ICONICS Energy AnalytiX

Multiple vulnerabilities in ICONICS Hyper Historian

Multiple vulnerabilities in ICONICS GENESIS64 and GENESIS32