CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
EPSS
Percentile
0.4%
Ivan Sanchez of Wise Security has identified a DLL Hijacking vulnerability in the CIMON CmnView.exe application. CIMON, Inc. has produced a patch that mitigates this vulnerability.
This vulnerability could be exploited remotely with social engineering and requires local user input.
The following CIMON CmnView.exe application versions are affected:
This DLL Hijacking vulnerability requires that someone with local access play a part in the exploitation. The vulnerability will allow a malicious user to have the access on the victim machine with the same privileges as the application or DLL exploited.
Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.
CIMON, Inc. is a South Korean-based company that maintains offices in South Korea and the United States.
The affected application, CmnView, is a web-based SCADA application. According to CIMON, Inc., CmnView is deployed across several sectors including Critical Manufacturing, Energy, Water and Wastewater Systems, and others. CIMON, Inc. estimates that these products are used primarily in Asia.
The CmnView application calls DLLs without specifying an absolute path; this causes Windows to search for the DLL allowing potentially malicious DLLs to be loaded.
CVE-2014-9207NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9207, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v2 base score of 9.3 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:C/I:C/A:C).CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:M/Au:N/C:C/I:C/A:C, web site last accessed March 10, 2015.
This vulnerability could be exploited remotely with social engineering and requires local user input. The exploit is only triggered when a local user runs the vulnerable application and loads the malformed file.
General exploits are publicly available that utilize this attack vector. However, ICS-CERT is not aware of any specific exploits that target the CmnView application.
Crafting a working exploit for this vulnerability would take some effort. Social engineering and local user interaction is required for the malformed file to exploit the victim machine running the vulnerable application.
CIMON, Inc. has produced a patch that mitigates the DLL vulnerability. The updated UltimateAccess Version 3.02 corrects the vulnerability of the CmnView application and is free of charge to users by logging in to the CIMON, Inc. web site at:
Asset owners may wish to consider the use of anti-exploitation software like Microsoftβs Enhanced Mitigation Experience Toolkit. Products like this offer additional protections to the system memory and operating system functions that may protect against unknown software vulnerabilities.
ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.
ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page at: http://ics-cert.us-cert.gov/content/recommended-practices. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Additional mitigation guidance and recommended practices are publicly available in the ICSβCERT Technical Information Paper, ICS-TIP-12-146-01BβTargeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site (http://ics-cert.us-cert.gov/).
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:
www.cimon.com
cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/ics-advisories/icsa-15-069-01
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Cimon%20CmnView%20DLL%20Hijacking%20Vulnerability+https://www.cisa.gov/news-events/ics-advisories/icsa-15-069-01
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-15-069-01&title=Cimon%20CmnView%20DLL%20Hijacking%20Vulnerability
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-15-069-01
www.oig.dhs.gov/
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Cimon%20CmnView%20DLL%20Hijacking%20Vulnerability&body=www.cisa.gov/news-events/ics-advisories/icsa-15-069-01