ICS-CERT Publishes 2 GE Proficy Advisories and Updates ICS TIP

Yesterday the DHS ICS-CERT published two advisories for GE Proficy products and updated for a second time their TIP sheet about “Targeted Cyber Intrusion Detection and Mitigation Strategies”. I know that the Control System Security Program web page shows three GE advisories issued today, but a closer look shows that two of them are for the same advisory. [NOTE: As of 13:00 EST on 1-23-13 this has been corrected.]

ICS TIP

Back in May of last year, ICS-CERT issued the first of their technical information papers (TIP) concerning actions to be taken when corporate networks are thought to have been attacked. ICS-CERT updated the TIP in July by adding a section on Credential Management. This latest update makes revisions to the same section; based largely in differences in new versions of Windows® software. Some of the specific changes include:

• Added a link to recent Microsoft guidance on protecting user credentials;

• Expanded the discussion about privileged accounts; and

• Removed the discussion about cached credentials;

GE Information Portal Advisory

In this advisory GE has self-reported two information disclosure vulnerabilities in its Proficy Information Portal application. ICS-CERT reports that a relatively low skilled attacker could remotely exploit either of these vulnerabilities and acquire configuration information about the system including potentially user names and passwords via calls to Port80/TCP.

GE has published two security advisories (GEIP12-14 and GEIP12-15) that explain how to make the necessary configuration changes to address these vulnerabilities.

GE Cimplicity Advisory

In this advisory GE has self-reported two vulnerabilities in its Cimplicity products. The two remotely exploitable vulnerabilities are:

• A directory traversal vulnerability; and

• An improper input validation vulnerability.

ICS-CERT reports that either vulnerability could be remotely executed by a relatively low skilled attacker. The directory traversal vulnerability could allow the attacker to view or download files from the server. The input validation vulnerability could allow the attacker to execute arbitrary commands.

GE has created patches and developed configuration changes to address these vulnerabilities. Information is available in security advisories GEIP12-13 and GEIP12-19.

Additional Information

As is usual in producing these advisories, ICS-CERT provides additional generic information about the protection of control systems. Among the standard items listed is a reference to their TIP “Targeted Cyber Intrusion Detection and Mitigation Strategies” that I mentioned earlier in this post. Interestingly, both of these GE advisories reference the July 2012 version of the TIP, not the version released yesterday. To be fair they were both issued earlier in the day than was the newest version of the TIP, but a little bit better internal coordination could have provided more up-to-date information.