Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0100 -- [Win][Appliance] Vulnerabilities in GE Fanuc CIMPLICITY and Proficy Real-Time Information Portal used in Supervisory Control And Data Acquisition (SCADA) systems 30 January 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: GE Fanuc CIMPLICITY HMI GE Fanuc Proficy Information Portal Publisher: UK Centre for the Protection of National Infrastructure (CPNI) Operating System: Windows Network Appliance Impact: Execute Arbitrary Code/Commands Access Privileged Data Create Arbitrary Files Denial of Service Access: Remote/Unauthenticated CVE Names: CVE-2008-0176 CVE-2008-0175 CVE-2008-0174 Original Bulletin: http://www.cpni.gov.uk/products/alerts/3561.aspx - --------------------------BEGIN INCLUDED TEXT-------------------- ________________________________________________________________________ CSIRTUK ADVISORY - 3561 dated 29.01.08 time 10:30 Centre for the Protection of National Infrastructure (CPNI) ________________________________________________________________________ Further details about CPNI, including information about our products can be found at www.cpni.gov.uk Please note that CSIRTUK RSS Feeds are available from: http://www.cpni.gov.uk/rss/advisories.xml ________________________________________________________________________ Title ===== Description of vulnerabilities in GE Fanuc CIMPLICITY and Proficy Real-Time Information Portal used in Supervisory Control And Data Acquisition (SCADA) systems Detail ====== ID: 3561 Date: 29/01/2008 - ------------------------------------------------------------------------ - -------- Title: 3561 - Description of vulnerabilities in GE Fanuc CIMPLICITY and Proficy Real-Time Information Portal used in Supervisory Control And Data Acquisition (SCADA) systems Platform level affected:None Hardware components affected:Mainframe Specific operating systems components affected: Other Net-enabled software: Other Security software:Other Other software: Run-time Environment Remediation Summary:Update your copy of the software with the download available from the supplier. Vendors affected:GE Fanuc Applications affected:CIMPLICITY and Proficy Real-Time Information Portal Adversity source: Unknown Attack Vector: Vulnerability exploitation Virulence: Unknown Warning Status: Unknown Potential Damage: Network DOS Possible Duration: Unknown Availability of fix: Available Type of fix: Patch Source: US-CERT Reliability of source: Trusted Source URL: http://www.us-cert.gov/current/index.html#ge_fanuc_product_vulnerabiliti es Abstract: Description of vulnerabilities in GE Fanuc CIMPLICITY and Proficy Real-Time Information Portal used in Supervisory Control And Data Acquisition (SCADA) systems that could allow an attacker to execute arbitrary code, obtain user credentials, upload and execute arbitrary files, or cause a denial-of-service condition. US-CERT encourages users to review the following: Vulnerability Notes Database GE Fanuc Proficy Real-Time Information Portal allows arbitrary file upload and execution (KB12460) GE Fanuc Proficy Real-Time Information Portal transmits authentication credentials in plain text (KB12459) Buffer Overflow Allows Remote Code Execution (KB12458) Vulnerability Note VU#308556 GE Fanuc CIMPLICITY HMI heap buffer overflow Overview GE Fanuc CIMPLICITY HMI contains a remotely accessible heap buffer overflow vulnerability which may allow a remote attacker to execute arbitrary code. I. Description GE Fanuc CIMPLICITY HMI is software used for monitoring and control in Supervisory Control And Data Acquisition (SCADA) systems. A heap buffer overflow vulnerability exists in a CIMPLICITY process (w32rtr.exe) that listens on the network (32000/tcp). The vulnerable process exists in both servers and clients. An attacker could exploit this vulnerability by sending a specially crafted packet to a vulnerable CIMPLICITY system. Note that this vulnerability affects GE Fanuc CIMPLICITY HMI versions up to and including version 7.0. II. Impact A remote, unauthenticated attacker may be able to execute arbitrary code or cause a denial of service. III. Solution Apply Patch This vulnerability is addressed in CIMPLICITY 6.1 SP6 Hot fix - 010708_162517_6106 and CIMPLICITY 7.0 SIM 9. CIMPLICITY customers should refer to GE Fanuc knowledge base article KB2458 for more information. Upgrade Users of affected software with versions older than 6.1 are encouraged to upgrade to 6.1 or greater and then apply the patches described above. CIMPLICITY customers should refer to GE Fanuc knowledge base article KB12458 for more information. Restrict Access Restrict network access to hosts that require connections to CIMPLICITY. Do not allow access to CIMPLICITY from untrusted networks such as the internet. Systems Affected Vendor Status Date Updated GE Fanuc Vulnerable 24-Jan-2008 References http://www.securityfocus.com/archive/1/487076/30/0/threaded http://support.gefanuc.com/support/index?page=kbchannel&id=KB12458 http://www.gefanuc.com/as_en/gefanuc/resource_center/hmi_scada/hmiscada_ security.html Credit This vulnerability was reported by Eyal Udassin of C4 Security. This document was written by Chris Taschner. Other Information Date Public 24/01/2008 Date First Published 25/01/2008 15:30:28 Date Last Updated 25/01/2008 CERT Advisory CVE Name CVE-2008-0176 US-CERT Technical Alerts Metric 3.01 Document Revision 32 ********************************************* Vulnerability Note VU#339345 GE Fanuc Proficy Information Portal allows arbitrary file upload and execution Overview GE Fanuc Proficy Information Portal allows authenticated users to upload arbitrary files. An attacker could upload an executable server-side script (e.g., an .asp shell on a Microsoft Internet Information Server platform) and execute arbitrary commands with the privileges of the web server. I. Description GE Fanuc Proficy Information Portal is a web-based systems reporting tool often used to consolidate and integrate online and process-based systems data between Supervisory Control And Data Acquisition (SCADA) systems and the corporate network. Proficy Information Portal supports an "Add WebSource" feature that allows authenticated users to upload arbitrary files to the server. An uploaded file can subsequently be executed by requesting it with a web browser. This vulnerability affects GE Fanuc Proficy Information Portal up to and including version 2.6. II. Impact By uploading a file that can be executed by the web server (e.g., an .asp shell), a remote, authenticated attacker may be able to execute arbitrary code. The attacker could exploit this behavior to access SCADA networks. III. Solution Patch This vulnerability will be addressed with a Software Improvement Module (SIM) for PROFICY 2.6. For more information about the availablitiy of this SIM, Proficy customers should refer to GE Fanuc knowledge base article KB12460. Upgrade Users of affected software with versions older than 2.6 are encouraged to upgrade to 2.6 or greater and then apply the patches discribed above. For more information, Proficy customers should refer to GE Fanuc knowledge base article KB12460. Restrict Access Limit network access to hosts that require connections to the portal. Do not allow access to the portal from untrusted networks such as the internet. Filter URLs Using a reverse HTTP proxy, web server URL filtering, or similar technology, it may be possible to restrict the names and extensions of files that can be uploaded to the Proficy Information Portal. Modify Web Server Permissions It may be possible to modify web server permissions to prevent file uploads. This may impact portal functionality. Systems Affected Vendor Status Date Updated GE Fanuc Vulnerable 25-Jan-2008 References http://www.securityfocus.com/archive/1/487079/30/0/threaded http://support.gefanuc.com/support/index?page=kbchannel&id=KB12460 Credit This vulnerability was reported by Eyal Udassin of C4 Security. This document was written by Chris Taschner. Other Information Date Public 24/01/2008 Date First Published 25/01/2008 15:32:45 Date Last Updated 25/01/2008 CERT Advisory CVE Name CVE-2008-0175 US-CERT Technical Alerts Metric 0.84 Document Revision 34 ********************************************* Vulnerability Note VU#180876 GE Fanuc Proficy Information Portal transmits authentication credentials in plain text Overview GE Fanuc Proficy Information Portal can transmit authentication credentials in plain text. An attacker could monitor traffic, obtain valid credentials, and gain access to the portal. I. Description GE Fanuc Proficy Information Portal is a web-based systems reporting tool often used to consolidate and integrate online and process-based systems data between Supervisory Control And Data Acquisition (SCADA) systems and the corporate network. Authentication credentials for the portal may be sent in an insecure manner. During the login proceedure usernames are sent to the portal in plaintext and passwords are sent in Base64 encoded format. An attacker may be able to monitor network traffic and obtain credentaials to gain unauthorized access to the portal. This vulnerability affects GE Fanuc Proficy Information Portal up to and including version 2.6. II. Impact An attacker who can intercept network traffic can obtain authentication credentials. III. Solution Depending on the way the Java RMI applet connects to the portal, it may be possible to configure more secure authentication mechanisms. Use SSL Proficy Portal version 2.5 and up supports the use of Secure Socket Layer (SSL) connections between the client and server. The SSL protocol is commonly used to provide authentication, encryption, integrity, and non-repudiation services via public/private keys and certificates. Proficy customers should refer to GE Fanuc knowledge base article KB12459 for more information and configuration instructions. Enable Integrated Windows Authentication It may be possible to configure the portal to use domain authentication so that user credentials are not longer sent in plaintext. According to GE Fanuc: If domain security is being utilized, the easiest and perhaps most secure method of transmitting username and password information is to enable Windows Authentication within IIS. In this mode, IE and IIS will negotiate the security mechanism's to use and automatically authenticate the user logged into the machine running IE from the IIS server. No password is ever passed between the two computers and therefore cannot be intercepted. Proficy customers should refer to GE Fanuc knowledge base article KB12459 and the Microsoft documents in the References section below for more information. Restrict Access Restrict network access to hosts that require connections to the portal. Do not allow access to the portal from untrusted networks such as the internet. Systems Affected Vendor Status Date Updated GE Fanuc Vulnerable 24-Jan-2008 References http://www.securityfocus.com/archive/1/487075/30/0/threaded http://support.gefanuc.com/support/index?page=kbchannel&id=KB12459 http://support.microsoft.com/kb/324274 http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/I IS/36ea667e-c578-43b5-87fa-a2f174efb27a.mspx http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/i is/523ae943-5e6a-4200-9103-9808baa00157.mspx http://www.gefanuc.com/as_en/gefanuc/resource_center/hmi_scada/hmiscada_ security.html http://java.sun.com/j2se/1.5.0/docs/guide/rmi/socketfactory/SSLInfo.html http://java.sun.com/j2se/1.5.0/docs/guide/rmi/socketfactory/index.html Credit This vulnerability was reported by Eyal Udassin of C4 Security. This document was written by Chris Taschner. Other Information Date Public 24/01/2008 Date First Published 25/01/2008 15:26:36 Date Last Updated 25/01/2008 CERT Advisory CVE Name CVE-2008-0174 US-CERT Technical Alerts Metric 0.17 Document Revision 38 ________________________________________________________________________ CPNI values your feedback. 1. Which of the following most reflects the value of the advisory to you? (Place an 'X' next to your choice) Very useful:__ Useful:__ Not useful:__ 2. If you did not find it useful, why not? 3. Any other comments? How could we improve our advisories? Thank you for your contribution. ________________________________________________________________________ CSIRTUK wishes to acknowledge the contributions of US-CERT for the information contained in this advisory. ________________________________________________________________________ This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory. CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large. ________________________________________________________________________ <End of CPNI Advisory> - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBR5/zhyh9+71yA2DNAQIRywP9HSpQMxWcyDHjOYD4f1+vh1RcAwad0fhS OStfVRE1J4DoXE+xSTlaWt8ym/8X/RrND+TJ0fGVImz2NxU04dJyls6HPvCF+iBr 6tH5KM4uDmZRZsw4ZVNUY0NFTTtUKxC9JvChPvDty5+8xFifVC+wB6pXhObB/Cbg F7OGfY3VqJg= =igMN -----END PGP SIGNATURE-----