Yesterday the DHS ICS-CERT published three advisories for three separate GE Proficy applications, with a total of four vulnerabilities identified. The advisory is the result of a coordinated disclosure by Luigi via the Zero Day Initiative (ZDI). None of the current vulnerabilities are currently listed on the Luigi web site or the ZDI Published Advisories web page. The three GE Proficy applications are:
• Historian – A memory corruption vulnerability;
• Real-Time Information Portal – A directory transversal vulnerability; and
• Plant Applications – Two memory corruption vulnerabilities.
All four of the vulnerabilities are remotely exploitable by a moderately skilled attacker. The Plant Applications vulnerabilities could allow an attacker to “gain control of the systems”. The Historian vulnerability could allow for arbitrary code execution. The Real-Time Information Portal vulnerability would only allow some modifications of configuration files on the server.
Separate security advisories outlining specific mitigation measures have been issued by GE Intelligent Platforms for each of these ICS-CERT advisories. None of the ICS-CERT advisories contains any information about whether or not these mitigation measures resolve the reported vulnerabilities.
There is an interesting and encouraging note in the Plant Applications advisory from ICS-CERT. In the ‘Mitigation’ section it notes:
“Proficy Plant Applications customers using unsupported Versions 4.3.1, 4.2.3, 4.2.2, and 215.8 should contact GE Intelligent Platforms Support for assistance with obtaining and applying a patch.”
With the long useful life of control systems it is nice to see an organization that provides security support to out-of-date applications. GE Intelligent Platforms is to be commended for this service.