GE Fixes Proficy Vulnerability

Tuesday, January 17, 2017 @ 07:01 PM gHale


GE created new versions to mitigate an insufficiently protected credentials vulnerability in Proficy Human-Machine Interface/Supervisory Control and Data Acquisition (HMI/SCADA) iFIX, Proficy HMI/SCADA CIMPLICITY, and Proficy Historian software, according to a report with ICS-CERT.

Successful exploitation of this vulnerability may allow an attacker to retrieve user passwords. This vulnerability ended up discovered by Ilya Karpov of Positive Technologies.

RELATED STORIES
Advantech Mitigates Vulnerabilities
VideoInsight Fixes SQL Injection Hole
Carlo Gavazzi Patches Vulnerabilities
OSIsoft Working to Fix Pi Hole

The following GE products suffer from the issue:
• Proficy HMI/SCADA iFIX Version 5.8 SIM 13 and prior versions
• Proficy HMI/SCADA CIMPLICITY Version 9.0 and prior versions
• Proficy Historian Version 6.0 and prior versions

GE is a U.S.-based company that maintains offices in several countries around the world.

The affected product, Proficy HMI/SCADA iFIX, is a HMI/SCADA application. Proficy HMI/SCADA-CIMPLICITY is a client/server-based HMI/SCADA application. Proficy Historian is a data historian that collects, archives, and distributes production information. These products end up deployed across multiple sectors worldwide. GE Digital, GE’s Automation and Control business, and GE’s resellers and distributors sell the product. GE estimates these products see use on a global basis.

In terms of the vulnerability, an attacker may be able to retrieve user passwords if he or she has access to an authenticated session.

CVE-2016-9360 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.4.

This vulnerability is not exploitable remotely and cannot end up exploited without user interaction.

No known public exploits specifically target this vulnerability. In addition, an attacker with high skill would be able to exploit this vulnerability.

GE released new product versions with new product names to address the identified vulnerability in the affected products. GE released the iFIX software, Version 5.8 SIM 14, which is available at the following location.

GE has also released a new version of the CIMPLICITY software, Version 9.5, and the Historian, Version 7.0, which are available by contacting a GE Digital representative. Click here for contact information for GE.



Leave a Reply

You must be logged in to post a comment.