Chemical Safety Incidents
GE Clears Bently Nevada Vulnerability
Friday, October 7, 2016 @ 02:10 PM gHale
GE created new firmware to mitigate an improper authorization vulnerability in the GE Bently Nevada 3500/22M monitoring system, according to a report with ICS-CERT.
The new firmware ended up produced in the USB version of the GE Bently Nevada 3500/22M monitoring system.
The following GE Bently Nevada 3500/22M firmware versions suffer from the remotely exploitable vulnerability:
— GE Bently Nevada 3500/22M (USB version), all versions prior to firmware Version 5.0
— GE Bently Nevada 3500/22M (serial version), all versions
Successful exploitation of the identified vulnerability may allow a remote attacker to gain unauthorized access to the affected device with elevated privileges.
GE Bently Nevada is a wholly owned subsidiary of GE, a U.S.-based company that maintains offices in several countries around the world.
The affected product, GE Bently Nevada 3500/22M, is a vibration monitoring system. The GE Bently Nevada 3500/22M sees action across several sectors including chemical and energy. GE estimates these products see use globally.
Several open ports have been identified on the affected device, which allow unauthorized access to the device with elevated privileges.
CVE-2016-5788 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 10.
No known public exploits specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.
GE released a new firmware version for the GE Bently Nevada 3500/22M TDI USB monitoring system, Version 5.0. GE’s new firmware can only end up applied to the USB version of the GE Bently Nevada 3500/22M monitoring system. Users registered with a GE Bently Nevada Technical Support Agreement can download Version 5.0 and access GE’s Technical Information Letter (TIL-149700250) detailing further mitigation strategies.
GE recommends users using the serial version of the GE Bently Nevada 3500/22M upgrade the affected device.
Users who have concerns about the security of their GE Bently Nevada 3500 System should:
— Employ system hardening techniques for GE Bently Nevada’s 3500 System as outlined in document 106M9733 – 3500 Hardening Guideline
— Contact GE Bently Nevada for information regarding installations compliant to IEC 62443-2-4 Level 1
— Implement a bump-in-the-wire solution to provide secure communication between endpoints, which may enhance security
— Effectively segment networks and implement demilitarized zones (DMZs) with properly configured firewalls to selectively control and monitor traffic passed between zones