Yesterday the DHS ICS-CERT published an advisory
for twin path traversal vulnerabilities reported in the GE Proficy CIMPLICITY
application by amisto0x07 and Z0mb1E. The disclosure was coordinated through
the Zero Day Initiative (ZDI). A patch has been developed by GE for one of the
vulnerabilities and a configuration change has been suggested for the other.
There is no indication that the researchers have validated the efficacy of
these mitigation measures.
ICS-CERT notes that a moderately skilled attacker could
remotely exploit either of these vulnerabilities to execute arbitrary code on
the system.
GE has published two advisories (GEIP13-05
and GEIP13-06)
that discuss the vulnerabilities in more detail and explain the mitigation
measures.
GEIP13-05 – No Patch
This GE Advisory notes that the vulnerability is due to a
single component (gefebt.exe) and recommends that ‘all copies’ of the file be
deleted. The advisory provides information about where copies of the file
should be found in the server directories and on the server web pages.
The advisory notes that making these changes will disable
links on the default home page on the CIMPLICITY system that allow users to “to
browse CIMPLICITY projects and view alarms, points, screens and objects”. To
regain this functionality, the default home pages will have to be re-created
using the “Create Webpage” option.
This could be a very complex remediation.
GEIP13-06 – Patch
Available
The second advisory provides a link for a patch to
CIMPLICITY version 8.2. It notes that users of versions earlier than 8.2 should
upgrade to version 8.2. Interestingly, versions 4.0 and earlier are not
affected by either of these vulnerabilities.
GE provides two other mitigation options as alternatives to
updating or applying the patch to version 8.2. If web –based HMI functionality
is not need, they provide the option of disabling that functionality. If that
functionality is required there is the option of using an alternative web
server, IIS web server instead of the vulnerable CimWebServer.exe.
Delayed ICS-CERT
Notification
Joel Langill notes that
OSVDB has been reporting this vulnerability since the middle of December. The
GE advisories are also dated from the same point in time and both note that
public disclosure of the vulnerabilities was expected by December 31st.
There is no explanation in the ICS-CERT advisory as to why
it has taken them so long to report this vulnerability. These delays are
becoming increasingly common with ICS-CERT advisories. More importantly it is
becoming more common for ICS-CERT to ignore or miss reports of ICS
vulnerabilities all together. Perhaps it is time for Congress to exercise their
oversight responsibility and look into the operations of ICS-CERT.
Posts
No comments:
Post a Comment