GE Upgrade Fixes Communicator Holes

Thursday, May 2, 2019 @ 03:05 PM gHale

General Electric has an upgrade available to mitigate multiple vulnerabilities in its Communicator, according to a report with NCCIC.

The vulnerabilities include an uncontrolled search path, use of hard-coded credentials, and an improper access controls.

RELATED STORIES
Sierra Handling Holes in AirLink ALEOS
Rockwell Fixes CompactLogix 5370 Holes
Philips Mitigation Plan for Tasy EMR
Fujifilm Fix for Cassette Readers

Successful exploitation of these remotely exploitable vulnerabilities, which GE self-reported, could allow an attacker to gain administrative privileges, manipulate widgets and UI elements, gain control over the database, or execute administrative commands.

The following Communicator components, all versions prior to 4.0.517, are affected:
• Communicator Installer
• Communicator Application
• Communicator PostGreSQL
• Communicator MeterManager
• Communicator WISE Uninstaller

In one vulnerability, a non-administrative user may place malicious files within the installer file directory, which may allow an attacker to gain administrative privileges on a system during installation or upgrade.

CVE-2019-6564 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.8.

In addition, an attacker may place malicious files within the working directory of the program, which may allow an attacker to manipulate widgets and UI elements.

CVE-2019-6546 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.8.

Also, two backdoor accounts with hardcoded credentials exist, which may allow control over the database. This service is inaccessible to attackers if Windows default firewall settings are used by the end user.

CVE-2019-6548 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.1.

Another issue has a service running with system privileges that may allow an unprivileged user to perform certain administrative actions, which may allow the execution of scheduled scripts with system administrator privileges. This service is inaccessible to attackers if Windows default firewall settings are used by the end user.

CVE-2019-6544 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.6.

Also, a non-administrative user may replace the uninstaller with a malicious version, which could allow an attacker to gain administrator privileges to the system.

CVE-2019-6566 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.

The product sees use mainly in the critical manufacturing and energy sectors. It also sees action on a global basis.

GE recommends users upgrade to GE Communicator version 4.0.517 or newer.

GE recommends ensuring Windows default firewall rules are active.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.



Leave a Reply

You must be logged in to post a comment.