Headline
CVE-2023-6061: Phantom DLL hijacking vulnerabilities in Iconics Suite - CVE-2023-6061
Multiple components of Iconics SCADA Suite are prone to a Phantom DLL loading vulnerability. This issue arises from the applications improperly searching for and loading dynamic link libraries, potentially allowing an attacker to execute malicious code via a DLL with a matching name in an accessible search path. The affected components are:
- MMXFax.exe * winfax.dll
- MelSim2ComProc.exe
- Sim2ComProc.dll
- MMXCall_in.exe * libdxxmt.dll
- libsrlmt.dll
By Asher Davila and Malav Vyas, Palo Alto Networks Researchers
Iconics Suite is a collection of software tools and solutions primarily focused on automation, building management, manufacturing, and industrial applications. It offers a range of functionalities including:
SCADA (Supervisory Control and Data Acquisition): Provides real-time monitoring and control of industrial, infrastructure, and facility-based processes.
HMI (Human-Machine Interface): Offers interactive interfaces for operators to monitor and manage industrial and building automation systems.
Building Automation and Energy Management: Helps in managing and optimizing building systems like HVAC, lighting, and power systems for efficiency and sustainability.
Manufacturing Intelligence: Provides analytics and reporting tools for optimizing manufacturing processes and improving productivity.
Asset Management: Assists in managing and tracking the performance and maintenance of industrial assets.
Phantom DLL Hijacking is a cybersecurity attack method where an attacker takes advantage of the way applications load Dynamic Link Libraries (DLLs). Unlike DLL hijacking, which involves replacing a legitimate DLL with a malicious one, Phantom DLL Hijacking involves reintroducing an obsolete or no longer used legitimate DLL back into the system. This obsolete DLL is modified to perform malicious activities. This attack exploits the process by which applications load external DLL files. It is a variant of DLL hijacking but with a subtle difference in approach. In Phantom DLL Hijacking, an attacker places an obsolete or unused legitimate DLL into a location where the application would typically load it. The application, thinking it is loading a genuine and required DLL, executes the code within the phantom DLL…
Impact
Arbitrary Code Execution: Similar to DLL hijacking, Phantom DLL Hijacking can result in the execution of arbitrary code. The application unknowingly runs the malicious code within the phantom DLL, leading to various security breaches.
Persistence and Stealth: Phantom DLLs can be more challenging to detect since they appear legitimate. They can remain operational for extended periods, allowing continuous unauthorized access.
System Integrity Compromise: The phantom DLL can destabilize the system by introducing bugs, errors, and crashes, affecting both the application and overall system stability.
Trust Relationship Abuse: Applications trust the DLLs they load. Phantom DLL Hijacking exploits this trust, allowing attackers to perform trusted actions that can lead to significant security breaches.
Vulnerability Overview
It was possible to confirm that the following software components are vulnerable to Phantom DLL hijacking through the next DLLs:
MMXFax.exe - winfax.dll
MelSim2ComProc.exe - Sim2ComProc.dll
MMXCall_in.exe - libdxxmt.dll
MMXCall_in.exe - libsrlmt.dll
Prevention
Secure Coding Practices: Developers should use secure methods for loading DLLs, such as specifying absolute paths and using code signing to verify DLL integrity.
Disclosure Timeline
July 27th, 2023 - Submitted a report with our findings on Iconics website.
July 28th, 2023 - Iconics security team confirmed receipt and requested more details regarding the exploitability of the reported vulnerabilities.
October 19th, 2023 - Iconics provided a comprehensive and detailed report of their tests, agreeing that there were vulnerabilities present on Iconics Suite related to Phantom DLL hijacking.
Conclusion
In summary, Iconics suite has been found to be vulnerable to Phantom DLL hijacking via the following DLLs:
- winfax.dll
- Sim2ComProc.dll
- libdxxmt.dll
- libsrlmt.dll
Iconics is actively working to remediate the aforementioned vulnerabilities.