GE Works to Fix Vulnerabilities

Wednesday, November 2, 2011 @ 10:11 PM gHale


GE is taking some security vulnerability hits with some of its offerings.

One area is with GE Intelligent Platforms and the Zero Day Initiative issued a warning about a stack-based buffer overflow vulnerability in the GE Intelligent Platforms Proficy Historian Data Archiver.

RELATED STORIES
Device Driver Vulnerability Found
SCADA Issues with MICROSYS
UniOPC Update on Server Vulnerabilities
More Holes Beset SCADA Firms
Cogent Patches DataHub Holes

ICS-CERT coordinated with GE Intelligent Platforms to validate this vulnerability, and GE created a patch to address the issue. The patch fully resolves this issue, ICS-CERT said.

The vulnerability affects the following GE Intelligent Platforms products:
• Proficy Historian: Versions 4.0 and prior
• Proficy HMI/SCADA—CIMPLICITY: Version 8.1 (If Historian is installed)
• Proficy HMI/SCADA—iFix: Versions 5.0 and 5.1 (If Historian is installed).

The vulnerability in the Proficy Historian could cause the Historian Data Archiver service to crash and potentially allow an attacker to take control of a system running the affected software.

Proficy Historian is a data historian that collects, archives, and distributes production information. The Proficy Historian product covers multiple industries worldwide, GE said. CVE-2011-1918 is the number assigned to the vulnerability.

A stack-based buffer overflow vulnerability exists as a result of the way that the Historian Data Archiver service (ihDataArchiver.exe or ihDataArchiver_x64.exe) processes incoming TCP/IP message traffic on Port 14000/TCP. The vulnerability is remotely exploitable.

GE released security advisories and free product updates Software Improvement Modules (SIMS) to address reported security vulnerabilities in Proficy software. GE urges all customers to follow the recommendations in the security advisories.

A valid GE SSO ID and Customer Service Number are required to access the advisories and updates.

The following product updates for Proficy Historian address this issue:
Proficy Historian 4.0 SIM 12
Proficy Historian 3.5 SIM 17
Proficy Historian 3.1 SIM IH31_11092015699.exe

GE provided the following instructions for iFix and CIMPLICITY users:
iFIX and CIMPLICITY installations:

Option 1: If Proficy Historian is in use, refer to the information above for Historian SIM applications and apply the appropriate SIM (update) to the installed version of Proficy Historian.

Option 2: If Proficy Historian is not in use, uninstall Proficy Historian by following the instructions below:

1. Double click the Add/Remove Programs icon in the Control Panel. The Add/Remove Programs dialog box opens.

2. Select Proficy Historian, and click the Remove button.
a. To uninstall Historian and save the current Historian configuration and data, select Do Not Delete Archives and click Next.
b. To uninstall Historian and delete the current Historian configuration and data, select Delete Archives and click Next.

3. The uninstall proceeds and all Historian components are removed.

In addition, GE is suffering from multiple cross-site scripting (XSS) vulnerabilities in the GE Intelligent Platforms Proficy Historian Web Administrator software.

ICS-CERT coordinated this vulnerability with GE and independent security researchers Billy Rios and Terry McCorkle, and GE has made recommendations to reduce the potential attack surface. The affected product, Historian Web Administrator with Proficy Historian, is considered by GE to be a legacy component; as a result, GE is not issuing a patch for this vulnerability.

This vulnerability affects:
• Proficy Historian: All versions
• Proficy HMI/SCADA CIMPLICITY: Version 8.1and 8.2 (If Historian is installed).
• Proficy HMI/SCADA iFIX: Versions 5.0 and 5.1 (If Historian is installed).

This vulnerability could allow an attacker to obtain information and to execute arbitrary client-side scripts to support further attacks.

GE made recommendations to reduce the potential attack surface. The affected product, Historian Web Administrator with Proficy Historian, is a legacy component. As a result, GE is not issuing a patch for this vulnerability.

An XSS vulnerability exists in the Historian Web Administrator because it lacks server-side validation of query string parameter values. Attacks that exploit these vulnerabilities require that a user visit a specially crafted URL, which injects client-side scripts into the server’s HTTP response to the client.

Successful exploitation of this vulnerability could allow an attacker to obtain information and to execute arbitrary client-side scripts to support further attacks. This vulnerability is remotely exploitable. CVE-2011-3320 is the number assigned to this vulnerability.

GE does not recommend that customers install or use the Historian Web Administrator component with Proficy Historian. According to GE, the Historian Web Administrator is a legacy product component that a user should remove from systems running the affected software to reduce the potential attack surface. According to GE, the “Administrative Website” option will not be in the Historian Install Wizard in future versions of the Historian product.

GE recommends that customers follow these steps to remove installed copies of the Historian Web Administrator:
1. Open Windows Explorer.
2. Navigate to the Windows directory where the Historian Web Administrator is installed. By default, this is in the IIS directory C:\inetpub\wwwroot.
3. Right click on the “Historian” folder and select “Delete” to delete that folder.

One more advisory concerns a stack-based buffer overflow vulnerability in the GE Intelligent Platform Proficy Plant Applications software suite.

ICS-CERT coordinated with GE to validate this vulnerability. GE created a patch to address the issue. The patch fully resolves this issue, ICS-CERT said.

This vulnerability affects Proficy Plant Applications (Version 5.0 and prior). This vulnerability could cause multiple Proficy services to crash and potentially allow an attacker to take control of a system running the affected software.

GE reported a stack-based buffer overflow vulnerability exists because of the way that Proficy Plant Applications components process incoming TCP/IP message traffic. This vulnerability affects the following services:
• Proficy Server Manager (PRProficyMgr.exe) that listens on Port 12293/TCP by default



Leave a Reply

You must be logged in to post a comment.