CVE-2018-17893
📋 TL;DR
CVE-2018-17893 is a critical untrusted pointer dereference vulnerability in LAquis SCADA software that allows remote attackers to execute arbitrary code on affected systems. This affects LAquis SCADA versions 4.1.0.3870 and earlier, potentially compromising industrial control systems and SCADA networks.
💻 Affected Systems
- LAquis SCADA
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to gain full control of SCADA systems, manipulate industrial processes, cause physical damage, and pivot to other critical infrastructure systems.
Likely Case
Remote code execution leading to data theft, system disruption, ransomware deployment, or establishment of persistent access in industrial networks.
If Mitigated
Limited impact through network segmentation and proper access controls, potentially resulting in isolated system compromise without broader network access.
🎯 Exploit Status
The vulnerability allows remote exploitation without authentication, making it attractive for attackers targeting industrial systems.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 4.1.0.3871 or later
Vendor Advisory: http://laquisscada.com/instale1.php
Restart Required: Yes
Instructions:
1. Download latest version from LAquis SCADA website 2. Backup current configuration 3. Install update 4. Restart SCADA services 5. Verify functionality
🔧 Temporary Workarounds
Network Segmentation
allIsolate SCADA systems from corporate networks and internet access
Firewall Rules
windowsRestrict network access to SCADA systems using firewall rules
netsh advfirewall firewall add rule name="Block SCADA Ports" dir=in action=block protocol=TCP localport=80,443,502,20000-30000
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SCADA systems
- Deploy intrusion detection systems specifically tuned for SCADA protocols
🔍 How to Verify
Check if Vulnerable:
Check LAquis SCADA version in Help > About menu or registry key: HKEY_LOCAL_MACHINE\SOFTWARE\LAquis SCADA\VersionCheck Version:
reg query "HKLM\SOFTWARE\LAquis SCADA" /v VersionVerify Fix Applied:
Verify version is 4.1.0.3871 or later and test SCADA functionality📡 Detection & Monitoring
Log Indicators:
- Unexpected process creation from SCADA executable
- Network connections to SCADA system from unauthorized sources
- Abnormal SCADA protocol traffic patterns
Network Indicators:
- Unusual traffic to SCADA ports (502, 20000-30000)
- Exploit attempts using crafted packets to SCADA services
- Outbound connections from SCADA systems to suspicious IPs
SIEM Query:
source="scada_logs" AND (event_type="process_creation" AND process_name="laquis_scada.exe") OR (dest_port IN (502, 20000-30000) AND src_ip NOT IN (allowed_ips))🔗 References
- http://laquisscada.com/instale1.php
- http://www.securityfocus.com/bid/105719
- https://ics-cert.us-cert.gov/advisories/ICSA-18-289-01
- https://exchange.xforce.ibmcloud.com/vulnerabilities/151417
- http://laquisscada.com/instale1.php
- http://www.securityfocus.com/bid/105719
- https://ics-cert.us-cert.gov/advisories/ICSA-18-289-01
