GE Fixes SNMP/Web Interface Holes
Wednesday, February 3, 2016 @ 02:02 PM gHale
GE created new firmware to mitigate two vulnerabilities in later model devices the GE SNMP/Web Interface adapter, according to a report on ICS-CERT.
Users may have to upgrade earlier model SNMP/Web Interface adapters may to accommodate the new firmware version to address the identified remotely exploitable vulnerabilities.
SNMP/Web Interface adapter, firmware versions prior to Version 4.8 suffer from the issues, reported by independent researcher Karn Ganeshen.
Successful exploitation of these vulnerabilities may allow an attacker to execute arbitrary system commands and to access other users’ sensitive account information potentially impacting the confidentiality, integrity, and availability of the system.
GE is a U.S.-based company that maintains offices in several countries around the world.
The affected product, SNMP/Web Interface adapter, is a web server designed to present information about the uninterruptible power supply (UPS). According to GE, the SNMP/Web Interface sees action across several sectors including critical manufacturing and energy. GE estimates this product sees use on a global basis.
Device does not perform strict input validation, which may allow an authenticated user to execute any system commands on the system.
CVE-2016-0861 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.
In addition, the file contains sensitive account information stored in cleartext.
CVE-2016-0862 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.5.
No known public exploits specifically target these vulnerabilities. An attacker with a low skill would be able to exploit these vulnerabilities.
GE has released a new firmware version for the SNMP/Web Interface adapter, Version 4.8, which addresses the reported vulnerabilities. Firmware Version 4.8 can end up applied to SNMP/Web Interface adapters with the following product numbers: 1024746, 1024747, 1024748, and 1024921.
GE said all other product numbers for SNMP/Web Interface adapters will need to upgrade to the latest hardware version with Version 4.8 to address the identified vulnerabilities. GE recommends users install the latest SNMP/Web Interface adapter with firmware Version 4.8. To obtain additional information about solution options, users can click here to contact GE.
Also, users can click here for GE’s Product Bulletin.