Yesterday the DHS ICS-CERT published an advisory on a integer overflow vulnerability in the GE Proficy HMI/SCADA Cimplicity platform. The vulnerability was reported in a coordinated disclosure by Kuang-Chun Hung of Information and Communication Security Technology Center (ICST). This advisory had been released earlier on the US CERT secure portal Library.
The advisory reports that a relatively low skilled attacker could remotely exploit this vulnerability by sending a specially crafted HTTP request to the listening service on Port 80 TCP and cause a system crash. The Cimplicity web server would have to have been activated on the system for this vulnerability to be exploitable.
A patch has been developed by GE and it has been validated by ICST. The advisory provides two options to mitigate this vulnerability in an older version of the system that will not be patched. The two options are:
• Disable the Cimplicity web server if not needed; or
• Us an alternative web server.
Interestingly, the Advisory provides step-by-step instructions for implementing each option instead of referring owner/operators to a GE Proficy web site. Is this a new service being provided by ICS-CERT; developing mitigation measures for control systems that are no longer being supported by the vendor? I would assume that owners of such systems would be pleased by such a move. Vendor responses would be less clear. There could also be liability issues related to such a service.