GE Updates Proficy Vulnerability

Tuesday, May 30, 2017 @ 01:05 PM gHale


GE created new versions to mitigate an insufficiently protected credentials vulnerability in Proficy Human-Machine Interface/Supervisory Control and Data Acquisition (HMI/SCADA) iFIX, Proficy HMI/SCADA CIMPLICITY, and Proficy Historian software, according to a report with ICS-CERT.

Successful exploitation of this vulnerability may allow an attacker to retrieve user passwords. This vulnerability ended up discovered by Ilya Karpov of Positive Technologies.

RELATED STORIES
Moxa Offers Mitigations for its OnCell
Rockwell Fixes MicroLogix Holes
B. Braun Medical Fixes Redirect Issue
Miele Professional Patches Vulnerability

The following GE products suffer from the issue:
• Proficy HMI/SCADA iFIX Version 5.8 SIM 13 and prior versions
• Proficy HMI/SCADA CIMPLICITY Version 9.0 and prior versions
• Proficy Historian Version 6.0 and prior versions

GE is a U.S.-based company that maintains offices in several countries around the world.

The affected product, Proficy HMI/SCADA iFIX, is a HMI/SCADA application. Proficy HMI/SCADA-CIMPLICITY is a client/server-based HMI/SCADA application. Proficy Historian is a data historian that collects, archives, and distributes production information. These products end up deployed across multiple sectors worldwide. GE Digital, GE’s Automation and Control business, and GE’s resellers and distributors sell the product. GE estimates these products see use on a global basis.

In terms of the vulnerability, an attacker may be able to retrieve user passwords if he or she has access to an authenticated session.

CVE-2016-9360 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.4.

This vulnerability is not exploitable remotely and cannot end up exploited without user interaction.

No known public exploits specifically target this vulnerability. In addition, an attacker with high skill would be able to exploit this vulnerability.

GE released new product versions with new product names to address the identified vulnerability in the affected products. GE released the iFIX software, Version 5.8 SIM 14, which is available at the following location.

GE has also released a new version of the CIMPLICITY software, Version 9.5, and the Historian, Version 7.0, which are available by contacting a GE Digital representative. Click here for contact information for GE.

GE released new versions of the Historian software, Version 6.0 SIM 9 (Standard and Enterprise)

GE released a new version of the Historian software, Version 5.5 SIM 37

GE released a new version of the HMI/SCADA iFIX 5.8 SIM 14

GE released a new version of the HMI/SCADA iFIX software, Version 5.5. iFIX users with versions earlier than Version 5.5 who cannot upgrade can call GE Support.

GE released a new version of the CIMPLICITY software, Version 8.2 SIM 49

GE released a new version of the CIMPLICITY software, Version 9.0 SIM 22

GE Digital recommended all users upgrade to GE HMI/SCADA CIMPLICITY 9.5. For users unable to upgrade to GE HMI/SCADA CIMPLICITY 9.5, the following steps may mitigate the risks described above:
• Enable project configuration security and limit the number of users that have access to the workbench to only those that need to configure the project
• Enable Windows domain authentication so that CIMPLICITY users’ passwords are not stored in CIMPLICITY



Leave a Reply

You must be logged in to post a comment.