Mitigations for Information Portal

Wednesday, January 23, 2013 @ 05:01 PM gHale


General Electric (GE) mitigated two vulnerabilities in its Intelligent Platforms Proficy Real-Time Information Portal. Exploitation of these remotely exploitable vulnerabilities would result in information disclosure.

GE created two security advisories (GEIP12-14 and GEIP12-15) available on the GE Intelligent Platforms support Web site to inform users about these vulnerabilities.

RELATED STORIES
GE Patches 2 Proficy Vulnerabilities
Schneider Patches SCADA Hole
Schneider Faces Product Bugs
Schneider Updates SESU Vulnerability

All versions of the Proficy Real-Time Information Portal suffer from the issue.

CVE-2013-0651 is a security misconfiguration that, if exploited, could allow an unauthenticated remote attacker to retrieve sensitive configuration information such as system usernames and passwords for portal data sources. The security misconfiguration is a default installation setting that can change.

CVE-2013-0652 is an information disclosure vulnerability that, if exploited, could allow an unauthenticated remote attacker to obtain a list of usernames for users of the portal application and a limited amount of other technical information that could aid the attacker in conducting additional attacks.

Proficy Real-Time Information Portal is a Web-based data visualization and reporting tool deployed across multiple industries worldwide, GE said.

By default, the portal installation creates files and folders in unauthenticated locations on the IIS or Apache Web server. An attacker can exploit this misconfiguration by making an HTTP GET request on Port 80/TCP to retrieve configuration files and other sensitive information.

CVE-2013-0651 is the number assigned to this vulnerability, which has a CVSS v2 base score of 5.0.

Proficy Real-Time Information Portal exposes methods of a vulnerable class via Java RMI. Even with portal authentication enabled within the application, it unnecessarily exposes some of these methods and allows them to end up called without authentication. An attacker can exploit the vulnerability by making an RMI call over Port 80/TCP to retrieve information.

CVE-2013-0652 is the number assigned to this vulnerability, which has a CVSS v2 base score of 5.0.

No known public exploits specifically target these vulnerabilities. An attacker with a low skill would be able to exploit these vulnerabilities.

To mitigate these information disclosure vulnerabilities, GE recommends making the following configuration changes:
• Disable “Anonymous Authentication” and “Windows Authentication.”
• Require authentication for all portal users.
• Configure an SSL certificate to encrypt portal application traffic.

For more information go to GE Intelligent Platforms Product Security Advisory GEIP12-14 and GEIP12-15 for detailed instructions.
GEIP12-14
GEIP12-15



Leave a Reply

You must be logged in to post a comment.