GE Fixes Improper Input Validation

Tuesday, July 30, 2013 @ 07:07 PM gHale


GE produced an update that mitigates an improper input validation vulnerability in GE CIMPLICITY WebView application, according to a report on ICS-CERT.

Along those lines GE released a security advisory (GEIP13-03) available on the GE Intelligent Platforms support Web site to inform customers about this remotely exploitable vulnerability, discovered by security researchers ZombiE and amisto0x07.

RELATED STORIES
QNX Patches Multiple Vulnerabilities
Nano-10 PLC Denial of Service
Emergency Alert System Flaw
Alstom Grid S1 Vulnerability

The following GE CIMPLICITY versions suffer from the issue:
• Proficy HMI/SCADA – CIMPLICITY: Version 4.01 to 8.2
• Proficy Process Systems with CIMPLICITY.

If exploited, the vulnerability could allow an unauthenticated remote attacker to cause the CIMPLICITY WebView and/or CIMPLITY built-in Web server to crash, or to run arbitrary commands on a server running the affected software, or could potentially allow an attacker to take control of the CIMPLICITY server.

An attacker can exploit the vulnerability by sending malicious messages over a TCP connection to the listening service. The attacks do not require authentication and can occur remotely. The vulnerable components are not default enabled.

Proficy HMI/SCADA–CIMPLICITY is a Client/Server-based human-machine interface/supervisory control and data acquisition (HMI/SCADA) application, which deploys across multiple industries, according to GE.

The CimWebServer does not properly validate inputted information. By sending a specially crafted packet, an attacker could crash the WebView or built-in Web server, run arbitrary commands on a server running the affected software, or take control of the server. The vulnerable CIMPLICITY built-in Web server component is not default enabled. CVE-2013-2785 is the number assigned to this vulnerability, which has a CVSS v2 base score of 8.8.

No known public exploits specifically target this vulnerability and an attacker with a medium skill would be able to exploit this vulnerability.

GE has released the following product updates that resolve this vulnerability:
• Proficy HMI/SCADA – CIMPLICITY 8.2 SIM 19
• Proficy HMI/SCADA – CIMPLICITY 8.1 SIM 25
• Proficy HMI/SCADA – CIMPLICITY 8.0 SIM 27

Click here for find all the updates.



Leave a Reply

You must be logged in to post a comment.