Security flaw has not been assigned a CVE identifier

Mar 12, 2015 11:15 GMT  ·  By

A glitch in some versions of the Telerik Analytics Monitor Library can be exploited to allow a potential attacker access to the components of an industrial control system (ICS) by causing the application to load a malicious set of DLLs.

The library offers application analytics services and it is integrated in other software solutions (such as those developed by Elipse) that are used in ICS environments; its purpose is to gather application metrics for vendors.

Custom OpenSSL with hardware support at fault

Security researcher Ivan Javier Sanchez from Argentina-based Nullcode Team that focuses on ICS and SCADA research discovered the vulnerability after detecting a process control glitch in Telerik’s product.

The security flaw became available in version 3.2.96 of the library, launched on August 3, 2014, when hardware support was included in the Telerik custom version of the OpenSSL cryptographic library.

OpenSSL is used for encrypting the information collected from the machine in transit to the vendor. In the faulty revision of the analytics app, four cryptography DLLs, which are not distributed by Telerik, would be loaded at runtime.

According to a security advisory from the CERT division at Carnegie Mellon University, a threat actor could take advantage of the flaw and provide malicious DLLs to be loaded in the context of the Telerik-based application.

“The Telerik Analytics Monitor Library has been used in Industrial Control Systems (ICS), which may allow significant access to the ICS if the vulnerability is exploited,” the advisory explains.

Update to the latest version recommended

No Common Vulnerabilities and Exposures (CVE) identification number has been assigned to the flaw, but CERT calculated a severity score based on the Common Vulnerability Scoring System (CVSS) and determined a 6.2 base risk.

Telerik has rolled out version 3.2.125 of the library, which plugs the security hole by disabling hardware support in OpenSSL, so no third-party DLLs are loaded.

However, the developer recommends switching to build 3.2.129, which integrates an additional security fix for a regression bug.