GE Plugs Hole in iFix

Wednesday, October 10, 2018 @ 12:10 PM gHale

GE released new software in June that fixes an unsafe ActiveX control marked safe for scripting vulnerability in its Gigasoft component of iFix, according to a report with NCCIC.

Successful exploitation of this remotely exploitable vulnerability, discovered by LiMingzheng of 360 aegis security team, could cause a buffer overflow condition.

WECON PI Studio Vulnerabilities
Change Healthcare Fixes Vulnerability
Carestream Remediates Vue RIS Hole
Delta Electronics Fixes ISPSoft Hole

GE reports this vulnerability in a Gigasoft component affects the following iFix HMI products:
• iFIX 2.0 – 5.0
• iFIX 5.1
• iFIX 5.5
• iFIX 5.8
Gigasoft components older than Version 8.0 are likely to be used in other products from other vendors also.

In the vulnerability, multiple instances of this issue have been identified in the third-party ActiveX object provided to GE iFIX by Gigasoft. Only the independent use of the Gigasoft charting package outside the iFIX product may expose users to the reported vulnerability. The reported method shown to impact Internet Explorer is not exposed in the iFIX product, nor is the core functionality of the iFIX product known to be impacted.

CVE-2018-17925 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.

The product sees application in multiple sectors and on a global basis.

No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.

GE released iFIX 5.9 in June 2017 to address this issue by incorporating Gigasoft Version 8.0

GE recommends users only use ActiveX from trusted sources.

To obtain the latest versions of the iFIX product, contact the local GE Digital representative.

For more information on this vulnerability and associated software updates, see GE Security Communication GED SecComm 18-01 dated March 27, 2018.

Leave a Reply

You must be logged in to post a comment.