GE Mitigates MDS PulseNET Holes
Wednesday, September 16, 2015 @ 11:09 AM gHale
GE created a new version to mitigate two vulnerabilities in its MDS PulseNET and MDS PulseNET Enterprise Network Management Software, according to a report on ICS-CERT.
These remotely exploitable vulnerabilities came to HP’s Zero Day Initiative (ZDI) from security researcher Andrea Micalizzi.
The following GE products suffer from the issue:
• MDS PulseNET Enterprise, Version 3.1.3 and all prior versions
• MDS PulseNET, Version 3.1.3 and all prior versions
Successful exploitation of the hard-coded password vulnerability may allow a remote attacker to gain access with full privileges to the system that could result in the complete compromise of the affected system. Successful exploitation of the path traversal vulnerability could allow a remote attacker to read and delete arbitrary files on the system.
GE is a U.S.-based company that maintains offices in several countries around the world.
The affected products, MDS PulseNET and MDS PulseNET Enterprise, are software applications that monitor devices in industrial communications networks.
MDS PulseNET and MDS PulseNET Enterprise see action across several sectors including energy, water and wastewater systems, and others. GE estimates these products see use worldwide.
The affected products contain a hard-coded support account with full privileges.
CVE-2015-6456 is the case number assigned to this vulnerability, which ZDI gave a CVSS v2 base score of 9.0.
The affected products contain a directory traversal vulnerability that could allow an attacker to read and delete arbitrary files on the system.
CVE-2015-6459 is the case number assigned to this vulnerability, which ZDI gave a CVSS v2 base score of 9.4.
No known public exploits specifically target these vulnerabilities. An attacker with low skill would be able to exploit these vulnerabilities.
GE has produced a new version for the MDS PulseNET and MDS PulseNET Enterprise Network Management Software, Version 3.1.5, to resolve the identified vulnerabilities. GE recommends installing the new version as soon as possible.
Click here for GE’s new version of MDS PulseNET.
Click here for GE’s new version of MDS PulseNET Enterprise.
GE released a security bulletin that contains additional information.
For additional information about the vulnerability or the new version of MDS PulseNET and MDS PulseNET Enterprise Network Management Systems, contact GE MDS technical support at + 1-800-547-8629 or email firstname.lastname@example.org.