GE Mitigates Proficy Holes

Tuesday, October 16, 2012 @ 11:10 PM gHale


GE produced mitigation details for multiple vulnerabilities that affect the Intelligent Platforms Proficy Real-Time Information Portal.

Three improper input validation vulnerabilities could lead to a possible denial of service (DoS), according to a report on ICS-CERT. GE released patches that fix the vulnerabilities in Versions 3.5 SP1, 3.5, and 3.0 SP1. Successful exploitation of these remotely exploitable vulnerabilities could affect multiple sectors worldwide.

RELATED STORIES
SCADA Vulnerability Surfaces
WellinTech Patches Vulnerability
Mitigation, Update for PLC Hole
Sielco Sistemi Overwrite Vulnerability

Researcher Kuang-Chun Hung of Information and Communication Security Technology Center (ICST) found the vulnerabilities in GE’s Intelligent Platforms Proficy Real-Time Information Portal.

The following GE product versions suffer from the issue:
• Intelligent Platforms Proficy Real-Time Information Portal v2.6,
• Intelligent Platforms Proficy Real-Time Information Portal v3.0,
• Intelligent Platforms Proficy Real-Time Information Portal v3.0 SP1,
• Intelligent Platforms Proficy Real-Time Information Portal v3.5, and
• Intelligent Platforms Proficy Real-Time Information Portal v3.5 SP1.

These vulnerabilities do not affect versions of Proficy Real-Time Information Portal v2.5 and earlier.

By successfully exploiting these vulnerabilities, attackers could initiate a DoS or possible remote code execution in the Remote Interface Service. These could affect the availability of the system.

According to GE, Proficy Real-Time Information Portal is a Web-based data visualization and reporting tool that deploys across multiple industries worldwide.

Three vulnerabilities are in the Remote Interface Service that operates on Port 5159/TCP. These vulnerabilities can end up exploited by sending additional data into the buffer, not properly checked as input data by the service. As a result, an attacker can cause a crash of the system leading to a DoS condition. CVE-2012-3010, CVE-2012-3021, and CVE-2012-3026 are the numbers assigned to these vulnerabilities, which have a CVSS v2 base score of 7.1.

GE released a security advisory and patches that fix the vulnerabilities in Versions 3.5 SP1, 3.5, and 3.0 SP1. The currently available patches are at GE’s Intelligent Platforms Software Download Web Sites.
Proficy Real-Time Information Portal 3.5 SP1 SIM 1.
Proficy Real-Time Information Portal 3.5 SIM 17.
Proficy Real-Time Information Portal 3.0 SP1 SIM 44.



Leave a Reply

You must be logged in to post a comment.