ID: 3561
Date: 29/01/2008
Title: 3561 - Description of vulnerabilities in GE Fanuc CIMPLICITY and Proficy Real-Time Information Portal used in Supervisory Control And Data Acquisition (SCADA) systems
Platform level affected:None
Hardware components affected:Mainframe
Specific operating systems components affected: Other
Net-enabled software: Other
Security software:Other
Other software: Run-time Environment
Remediation Summary:Update your copy of the software with the download available from the supplier.
Vendors affected:GE Fanuc
Applications affected:CIMPLICITY and Proficy Real-Time Information Portal
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: Unknown
Warning Status: Unknown
Potential Damage: Network DOS
Possible Duration: Unknown
Availability of fix: Available
Type of fix: Patch
Source: US-CERT
Reliability of source: Trusted
Source URL: http://www.us-cert.gov/current/index.html#ge_fanuc_product_vulnerabilities
Abstract: Description of vulnerabilities in GE Fanuc CIMPLICITY and Proficy Real-Time Information Portal used in Supervisory Control And Data Acquisition (SCADA) systems that could allow an attacker to execute arbitrary code, obtain user credentials, upload and execute arbitrary files, or cause a denial-of-service condition.
US-CERT encourages users to review the following:
Vulnerability Notes Database
GE Fanuc Proficy Real-Time Information Portal allows arbitrary file upload and execution (KB12460)
GE Fanuc Proficy Real-Time Information Portal transmits authentication credentials in plain text (KB12459)
Buffer Overflow Allows Remote Code Execution (KB12458)
Vulnerability Note VU#308556
GE Fanuc CIMPLICITY HMI heap buffer overflow
Overview
GE Fanuc CIMPLICITY HMI contains a remotely accessible heap buffer overflow vulnerability which may allow a remote attacker to execute arbitrary code.
I. Description
GE Fanuc CIMPLICITY HMI is software used for monitoring and control in Supervisory Control And Data Acquisition (SCADA) systems. A heap buffer overflow vulnerability exists in a CIMPLICITY process (w32rtr.exe) that listens on the network (32000/tcp). The vulnerable process exists in both servers and clients. An attacker could exploit this vulnerability by sending a specially crafted packet to a vulnerable CIMPLICITY system. Note that this vulnerability affects GE Fanuc CIMPLICITY HMI versions up to and including version 7.0.
II. Impact
A remote, unauthenticated attacker may be able to execute arbitrary code or cause a denial of service.
III. Solution
Apply Patch
This vulnerability is addressed in CIMPLICITY 6.1 SP6 Hot fix - 010708_162517_6106 and CIMPLICITY 7.0 SIM 9. CIMPLICITY customers should refer to GE Fanuc knowledge base article KB2458 for more information.
Upgrade
Users of affected software with versions older than 6.1 are encouraged to upgrade to 6.1 or greater and then apply the patches described above. CIMPLICITY customers should refer to GE Fanuc knowledge base article KB12458 for more information.
Restrict Access
Restrict network access to hosts that require connections to CIMPLICITY. Do not allow access to CIMPLICITY from untrusted networks such as the internet.
Systems Affected
Vendor Status Date Updated
GE Fanuc Vulnerable 24-Jan-2008
References
http://www.securityfocus.com/archive/1/487076/30/0/threaded
http://support.gefanuc.com/support/index?page=kbchannel&id=KB12458
http://www.gefanuc.com/as_en/gefanuc/resource_center/hmi_scada/hmiscada_security.html
Credit
This vulnerability was reported by Eyal Udassin of C4 Security.
This document was written by Chris Taschner.
Other Information
Date Public 24/01/2008
Date First Published 25/01/2008 15:30:28
Date Last Updated 25/01/2008
CERT Advisory
CVE Name CVE-2008-0176
US-CERT Technical Alerts
Metric 3.01
Document Revision 32
*********************************************
Vulnerability Note VU#339345
GE Fanuc Proficy Information Portal allows arbitrary file upload and execution
Overview
GE Fanuc Proficy Information Portal allows authenticated users to upload arbitrary files. An attacker could upload an executable server-side script (e.g., an .asp shell on a Microsoft Internet Information Server platform) and execute arbitrary commands with the privileges of the web server.
I. Description
GE Fanuc Proficy Information Portal is a web-based systems reporting tool often used to consolidate and integrate online and process-based systems data between Supervisory Control And Data Acquisition (SCADA) systems and the corporate network. Proficy Information Portal supports an "Add WebSource" feature that allows authenticated users to upload arbitrary files to the server. An uploaded file can subsequently be executed by requesting it with a web browser. This vulnerability affects GE Fanuc Proficy Information Portal up to and including version 2.6.
II. Impact
By uploading a file that can be executed by the web server (e.g., an .asp shell), a remote, authenticated attacker may be able to execute arbitrary code. The attacker could exploit this behavior to access SCADA networks.
III. Solution
Patch
This vulnerability will be addressed with a Software Improvement Module (SIM) for PROFICY 2.6. For more information about the availablitiy of this SIM, Proficy customers should refer to GE Fanuc knowledge base article KB12460.
Upgrade
Users of affected software with versions older than 2.6 are encouraged to upgrade to 2.6 or greater and then apply the patches discribed above. For more information, Proficy customers should refer to GE Fanuc knowledge base article KB12460.
Restrict Access
Limit network access to hosts that require connections to the portal. Do not allow access to the portal from untrusted networks such as the internet.
Filter URLs
Using a reverse HTTP proxy, web server URL filtering, or similar technology, it may be possible to restrict the names and extensions of files that can be uploaded to the Proficy Information Portal.
Modify Web Server Permissions
It may be possible to modify web server permissions to prevent file uploads. This may impact portal functionality.
Systems Affected
Vendor Status Date Updated
GE Fanuc Vulnerable 25-Jan-2008
References
http://www.securityfocus.com/archive/1/487079/30/0/threaded
http://support.gefanuc.com/support/index?page=kbchannel&id=KB12460
Credit
This vulnerability was reported by Eyal Udassin of C4 Security.
This document was written by Chris Taschner.
Other Information
Date Public 24/01/2008
Date First Published 25/01/2008 15:32:45
Date Last Updated 25/01/2008
CERT Advisory
CVE Name CVE-2008-0175
US-CERT Technical Alerts
Metric 0.84
Document Revision 34
*********************************************
Vulnerability Note VU#180876
GE Fanuc Proficy Information Portal transmits authentication credentials in plain text
Overview
GE Fanuc Proficy Information Portal can transmit authentication credentials in plain text. An attacker could monitor traffic, obtain valid credentials, and gain access to the portal.
I. Description
GE Fanuc Proficy Information Portal is a web-based systems reporting tool often used to consolidate and integrate online and process-based systems data between Supervisory Control And Data Acquisition (SCADA) systems and the corporate network. Authentication credentials for the portal may be sent in an insecure manner. During the login proceedure usernames are sent to the portal in plaintext and passwords are sent in Base64 encoded format. An attacker may be able to monitor network traffic and obtain credentaials to gain unauthorized access to the portal.
This vulnerability affects GE Fanuc Proficy Information Portal up to and including version 2.6.
II. Impact
An attacker who can intercept network traffic can obtain authentication credentials.
III. Solution
Depending on the way the Java RMI applet connects to the portal, it may be possible to configure more secure authentication mechanisms.
Use SSL
Proficy Portal version 2.5 and up supports the use of Secure Socket Layer (SSL) connections between the client and server. The SSL protocol is commonly used to provide authentication, encryption, integrity, and non-repudiation services via public/private keys and certificates. Proficy customers should refer to GE Fanuc knowledge base article KB12459 for more information and configuration instructions.
Enable Integrated Windows Authentication
It may be possible to configure the portal to use domain authentication so that user credentials are not longer sent in plaintext. According to GE Fanuc:
If domain security is being utilized, the easiest and perhaps most secure method of transmitting username and password information is to enable Windows Authentication within IIS. In this mode, IE and IIS will negotiate the security mechanism's to use and automatically authenticate the user logged into the machine running IE from the IIS server. No password is ever passed between the two computers and therefore cannot be intercepted. Proficy customers should refer to GE Fanuc knowledge base article KB12459 and the Microsoft documents in the References section below for more information.
Restrict Access
Restrict network access to hosts that require connections to the portal. Do not allow access to the portal from untrusted networks such as the internet.
Systems Affected
Vendor Status Date Updated
GE Fanuc Vulnerable 24-Jan-2008
References
http://www.securityfocus.com/archive/1/487075/30/0/threaded
http://support.gefanuc.com/support/index?page=kbchannel&id=KB12459
http://support.microsoft.com/kb/324274
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/36ea667e-c578-43b5-87fa-a2f174efb27a.mspx
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/iis/523ae943-5e6a-4200-9103-9808baa00157.mspx
http://www.gefanuc.com/as_en/gefanuc/resource_center/hmi_scada/hmiscada_security.html
http://java.sun.com/j2se/1.5.0/docs/guide/rmi/socketfactory/SSLInfo.html
http://java.sun.com/j2se/1.5.0/docs/guide/rmi/socketfactory/index.html
Credit
This vulnerability was reported by Eyal Udassin of C4 Security.
This document was written by Chris Taschner.
Other Information
Date Public 24/01/2008
Date First Published 25/01/2008 15:26:36
Date Last Updated 25/01/2008
CERT Advisory
CVE Name CVE-2008-0174
US-CERT Technical Alerts
Metric 0.17
Document Revision 38
This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.
The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.
CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.
Tue, 29 Jan 2008 09:40:00 GMT
Domain affected: Technical