Yesterday the DHS ICS-CERT published an advisory for twin path traversal vulnerabilities reported in the GE Proficy CIMPLICITY application by amisto0x07 and Z0mb1E. The disclosure was coordinated through the Zero Day Initiative (ZDI). A patch has been developed by GE for one of the vulnerabilities and a configuration change has been suggested for the other. There is no indication that the researchers have validated the efficacy of these mitigation measures.
ICS-CERT notes that a moderately skilled attacker could remotely exploit either of these vulnerabilities to execute arbitrary code on the system.
GE has published two advisories (GEIP13-05 and GEIP13-06) that discuss the vulnerabilities in more detail and explain the mitigation measures.
GEIP13-05 – No Patch
This GE Advisory notes that the vulnerability is due to a single component (gefebt.exe) and recommends that ‘all copies’ of the file be deleted. The advisory provides information about where copies of the file should be found in the server directories and on the server web pages.
The advisory notes that making these changes will disable links on the default home page on the CIMPLICITY system that allow users to “to browse CIMPLICITY projects and view alarms, points, screens and objects”. To regain this functionality, the default home pages will have to be re-created using the “Create Webpage” option.
This could be a very complex remediation.
GEIP13-06 – Patch Available
The second advisory provides a link for a patch to CIMPLICITY version 8.2. It notes that users of versions earlier than 8.2 should upgrade to version 8.2. Interestingly, versions 4.0 and earlier are not affected by either of these vulnerabilities.
GE provides two other mitigation options as alternatives to updating or applying the patch to version 8.2. If web –based HMI functionality is not need, they provide the option of disabling that functionality. If that functionality is required there is the option of using an alternative web server, IIS web server instead of the vulnerable CimWebServer.exe.
Delayed ICS-CERT Notification
Joel Langill notes that OSVDB has been reporting this vulnerability since the middle of December. The GE advisories are also dated from the same point in time and both note that public disclosure of the vulnerabilities was expected by December 31st.
There is no explanation in the ICS-CERT advisory as to why it has taken them so long to report this vulnerability. These delays are becoming increasingly common with ICS-CERT advisories. More importantly it is becoming more common for ICS-CERT to ignore or miss reports of ICS vulnerabilities all together. Perhaps it is time for Congress to exercise their oversight responsibility and look into the operations of ICS-CERT.