Pro-face Clears GP-Pro EX HMI Holes

Wednesday, April 6, 2016 @ 09:04 AM gHale


Pro-face created a module to mitigate one information disclosure and two buffer overflow vulnerabilities along with a hard-coded credentials hole in its GP-Pro EX HMI software, according to a report on ICS-CERT.

These vulnerabilities, discovered by the Zero Day Initiative (ZDI) and independent researcher Jeremy Brown, could end up exploited remotely, and some leveraged without user interaction.

RELATED STORIES
Eaton Lighting Systems Produces Patch
Rockwell Mitigates Memory Error
ICONICS Fixes Directory Traversal
Automated Healthcare System Holes

Pro-face said these vulnerabilities affect the following versions of GP-Pro EX:
• Models: EX-ED, PFXEXEDV, PFXEXEDLS, PFXEXGRPLS
• Versions: 1.00 to Ver. 4.0.4

It is possible for an attacker to force a stack-based buffer overflow. An attacker can leverage these vulnerabilities to execute arbitrary code in the context of the process.

Pro-face is a U.S.-based company that maintains offices in several countries around the world, including Asia, India, Australia, the Americas, and Europe. Schneider Electric acquired Pro-face.

The affected product, GP-Pro EX, is an HMI Screen Editor and Logic Programing software. According to Pro-face, GP-Pro EX ends up deployed across several sectors including commercial facilities, critical manufacturing, energy, and water and wastewater systems. Pro-face said the product sees global use.

In one vulnerability, it is possible for an attacker to force a heap-based buffer overflow. An attacker can leverage this vulnerability to execute arbitrary code in the context of the process.

CVE-2015-2290 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.

In addition, it is possible for an attacker to force an out-of-bounds read. An attacker can leverage this vulnerability to execute arbitrary code in the context of the process.

CVE-2015-2291 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.5.

Also, it is possible for an attacker to force a stack-based buffer overflow. An attacker can leverage this vulnerability to execute arbitrary code in the context of the process.

CVE-2016-2292 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.5.

In another vulnerability, hard-coded credentials in the FTP server allow for a remote user to have access to the project on the device.

CVE-2015-7921 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.1.

Also, there are authentication bypass issues in the FTP server which allow for a remote user to have access to the project on the device.

CVE-2015-7921 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.1.

No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to exploit these vulnerabilities.

Pro-face released the following module:
GP-Pro EX (Ver. 4.05.000 or later). The Update Module includes:
• Editor: Ver.4.05.000
• Transfer Tool: Ver.4.05.000
• System/Runtime: Ver.4.5.0

To download the module, free member registration is required for “Otasuke Pro!”