GE Updates HMI/SCADA Bug

Wednesday, January 9, 2013 @ 12:01 PM gHale

GE updated its Intelligent Platforms Proficy HMI/SCADA Cimplicity, after a researcher found an improper input validation vulnerability which could lead to denial of service (DoS), according to a report on ICS-CERT.

This vulnerability, discovered by researcher Kuang-Chun Hung of Information and Communication Security Technology Center (ICST), is remotely exploitable. ICST has validated the updates works.

Advantech Vulnerability Released
Control System Malware Alert
Downtime: Utility Suffers Virus
Antivirus Not Catching New Viruses

The following products and versions suffer from the issue:
• Proficy HMI/SCADA – CIMPLICITY: Version 4.01 and greater
• Proficy Process Systems with CIMPLICITY.

Proficy HMI/SCADA – CIMPLICITY Versions 4.0 and prior do not suffer from this vulnerability.

If exploited, this vulnerability could allow an unauthenticated remote attacker to cause the CIMPLICITY built-in Web server to crash or to stop responding to requests.

Proficy HMI/SCADA – CIMPLICITY is a Client/Server based human-machine interface/supervisory control and data acquisition (HMI/SCADA) application deployed across multiple industries.

The vulnerability exists in the way the CIMPLICITY built-in Web server (CimWebServer.exe) processes incoming HTTP traffic because of insufficient input validation. The CIMPLICITY built-in Web server is not enabled by default. When enabled, it listens on Port 80 TCP by default.

An attacker can exploit the vulnerability by sending malformed HTTP requests to the listening service. The attack does not require authentication and can occur remotely. CVE-2012-4689 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.1. An attacker with a low skill would be able to exploit this vulnerability.

GE released a security advisory and patches to address this issue.

GE will not create patches for versions of CIMPLICITY prior to Version 8.0. The company recommends users unable to patch or upgrade consider workarounds that eliminate the need to use the vulnerable component:

Option 1: Disable the CIMPLICITY built-in Web server if it is not in use.
GlobalView, WebView, and ThinView expose the existing functionality of the CIMPLICITY HMI application so the user can view it via a Web browser.
If the user does not need this functionality, he or she can disable Web-based access by the following process:
1. Open CIMPLICITY Options.

2. Select the “WebView/ThinView” tab.
a. Uncheck the “Use built-in Web server” option.
b. Uncheck the “Start at boot time” option.

3. Select the “GlobalView” tab (if you installed GlobalView).
a. Uncheck the “Use built-in Web server” option.
b. Uncheck the “Start at boot time” option.

4. Click “OK.”

Option 2: Use an alternate Web server to host GlobalView, WebView, or ThinView.
You can replace the CIMPLICITY built-in Web server with a third-party Web application server such as Microsoft IIS.

To configure GlobalView, WebView, or ThinView to use IIS:
1. Clear the “Use built-in Web server” check box on the WebView/ThinView and GlobalView tabs of the CIMPLICITY Options dialog box.

2. Copy the ProwlerClient.jar file from the WebPages directory of your CIMPLICITY installation to an IIS Web server directory.

3. In the WebView/ThinView or GlobalView tab of CIMPLICITY Options, click on “Create a Web Page” to create an HTML file for your Web server. Use the “Browse Page” button to navigate to the directory where you’d like to save the page.

Leave a Reply

You must be logged in to post a comment.