1. Introduction
A SCADA application, specifically 7-Technologies AQUIS Detection, is installed on remote Windows hosts. AQUIS is a hydraulic modeling tool for water networks and its presence indicates potential exposure within critical infrastructure environments. A successful exploit could allow an attacker to gain control of the system or disrupt operations. This vulnerability has a low impact on confidentiality but moderate impact on integrity and availability.
2. Technical Explanation
The vulnerability stems from the installation of AQUIS, a SCADA application developed by 7-Technologies. While not inherently malicious, its presence signifies a potential attack surface within water network control systems. An attacker with local access could potentially exploit vulnerabilities within the AQUIS software itself or use it as a pivot point to compromise other parts of the network. There is no known CVE associated with this detection; however, the risk lies in the application’s inherent complexity and potential for unpatched flaws.
- Root cause: The presence of an external SCADA application on a Windows host introduces an attack surface.
- Exploit mechanism: An attacker gaining local access could exploit vulnerabilities within AQUIS or use it to move laterally in the network.
- Scope: Remote Windows hosts with 7-Technologies AQUIS installed.
3. Detection and Assessment
Confirming the presence of AQUIS on a system is the primary assessment step. This can be done quickly through file system checks or more thoroughly using software inventory tools.
- Quick checks: Check for the existence of the AQUIS installation directory, typically located in
C:Program Files7-TechnologiesAQUIS. - Scanning: Nessus plugin ID 139685 can detect the presence of 7-Technologies AQUIS. This is provided as an example only.
- Logs and evidence: Event logs may show installation or execution events related to AQUIS, though specific event IDs are not consistently defined.
dir "C:Program Files7-TechnologiesAQUIS"4. Solution / Remediation Steps
The recommended solution is to remove the AQUIS application if it’s not required. If needed, ensure it’s patched and hardened according to 7-Technologies best practices.
4.1 Preparation
- Dependencies: Identify any processes or systems that rely on AQUIS functionality. A roll back plan involves restoring from backup.
- Change window needs: Coordinate with operations teams for a planned downtime, if necessary.
4.2 Implementation
- Step 1: Uninstall AQUIS through the Windows Control Panel’s “Programs and Features” section.
- Step 3: Verify that the AQUIS installation directory no longer exists in
C:Program Files7-TechnologiesAQUIS.
4.3 Config or Code Example
This vulnerability does not involve a configuration change; it requires application removal.
Before
Directory exists: C:Program Files7-TechnologiesAQUISAfter
Directory does not exist: C:Program Files7-TechnologiesAQUIS4.4 Security Practices Relevant to This Vulnerability
Several security practices can help mitigate risks associated with third-party applications like AQUIS.
- Least privilege: Limit user access rights on the system to reduce the impact if an attacker gains control.
- Asset inventory: Maintain a complete list of all software installed on your systems to quickly identify and manage potential vulnerabilities.
4.5 Automation (Optional)
PowerShell can be used to automate AQUIS uninstallation.
# Get the display name of the application
$AppName = "7-Technologies AQUIS"
# Uninstall the application if it exists
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*$AppName*"} | ForEach-Object {Uninstall-Package $_.Name}
5. Verification / Validation
Confirm that AQUIS has been successfully removed from the system and that related services are no longer running.
- Post-fix check: Run
dir "C:Program Files7-TechnologiesAQUIS"; it should return an error indicating the directory does not exist. - Re-test: Re-run the quick check from Section 3 to confirm that the AQUIS installation directory is no longer present.
- Monitoring: Monitor event logs for any errors related to missing AQUIS components, though this may not be applicable if the application was unused.
dir "C:Program Files7-TechnologiesAQUIS"6. Preventive Measures and Monitoring
Preventing similar issues involves careful software management and regular security assessments.
- Baselines: Update your security baseline to include a list of approved applications and prohibit the installation of unauthorized software.
- Pipelines: Implement application whitelisting or blacklisting in your deployment pipelines to prevent the installation of unapproved software.
- Asset and patch process: Regularly review installed software and ensure that all applications are patched and up-to-date.
7. Risks, Side Effects, and Roll Back
Removing AQUIS may disrupt dependent systems if it’s actively used. Ensure a roll back plan is in place.
- Roll back: Restore the system from backup created prior to uninstallation.
8. References and Resources
Information about AQUIS is available on the vendor’s website.
- Vendor advisory or bulletin: http://www.7t.dk/products/aquis/