Wednesday, January 9, 2013

ICS-CERT Publishes GE Proficy Advisory

Yesterday the DHS ICS-CERT published an advisory on a integer overflow vulnerability in the GE Proficy HMI/SCADA Cimplicity platform. The vulnerability was reported in a coordinated disclosure by Kuang-Chun Hung of Information and Communication Security Technology Center (ICST). This advisory had been released earlier on the US CERT secure portal Library.

The advisory reports that a relatively low skilled attacker could remotely exploit this vulnerability by sending a specially crafted HTTP request to the listening service on Port 80 TCP and cause a system crash. The Cimplicity web server would have to have been activated on the system for this vulnerability to be exploitable.

A patch has been developed by GE and it has been validated by ICST. The advisory provides two options to mitigate this vulnerability in an older version of the system that will not be patched. The two options are:

• Disable the Cimplicity web server if not needed; or

• Us an alternative web server.

Interestingly, the Advisory provides step-by-step instructions for implementing each option instead of referring owner/operators to a GE Proficy web site. Is this a new service being provided by ICS-CERT; developing mitigation measures for control systems that are no longer being supported by the vendor? I would assume that owners of such systems would be pleased by such a move. Vendor responses would be less clear. There could also be liability issues related to such a service.

1 comment:

Anonymous said...

When I read the ICS-CERT Advisory, it looks like they are just repeating the instructions from GE, and not providing ICS-CERT recommendations. If this is the case, do you have problems with this approach?

-----copied from Advisory------
Patches for versions of CIMPLICITY prior to Version 8.0 will not be
created. GE recommends customers who are unable to patch or upgrade consider the recommendations below.

GE has provided the following workaround recommendations that eliminate the need to use the vulnerable component:

Option 1: Disable the CIMPLICITY built-in Web server if it is not in use.
Option 2: Use an alternate Web server to host GlobalView, WebView, or ThinView.

/* Use this with templates/template-twocol.html */