Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.0100 -- [Win][Appliance]
Vulnerabilities in GE Fanuc CIMPLICITY and Proficy Real-Time Information
Portal used in Supervisory Control And Data Acquisition (SCADA) systems
30 January 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: GE Fanuc CIMPLICITY HMI
GE Fanuc Proficy Information Portal
Publisher: UK Centre for the Protection of National
Infrastructure (CPNI)
Operating System: Windows
Network Appliance
Impact: Execute Arbitrary Code/Commands
Access Privileged Data
Create Arbitrary Files
Denial of Service
Access: Remote/Unauthenticated
CVE Names: CVE-2008-0176 CVE-2008-0175 CVE-2008-0174
Original Bulletin: http://www.cpni.gov.uk/products/alerts/3561.aspx
- --------------------------BEGIN INCLUDED TEXT--------------------
________________________________________________________________________
CSIRTUK ADVISORY - 3561 dated 29.01.08 time 10:30
Centre for the Protection of National Infrastructure (CPNI)
________________________________________________________________________
Further details about CPNI, including information about our products
can be
found at www.cpni.gov.uk
Please note that CSIRTUK RSS Feeds are available from:
http://www.cpni.gov.uk/rss/advisories.xml
________________________________________________________________________
Title
=====
Description of vulnerabilities in GE Fanuc CIMPLICITY and Proficy
Real-Time Information Portal used in Supervisory Control And Data
Acquisition (SCADA) systems
Detail
======
ID: 3561
Date: 29/01/2008
- ------------------------------------------------------------------------
- --------
Title: 3561 - Description of vulnerabilities in GE Fanuc CIMPLICITY and
Proficy Real-Time Information Portal used in Supervisory Control And
Data Acquisition (SCADA) systems
Platform level affected:None
Hardware components affected:Mainframe
Specific operating systems components affected: Other
Net-enabled software: Other
Security software:Other
Other software: Run-time Environment
Remediation Summary:Update your copy of the software with the download
available from the supplier.
Vendors affected:GE Fanuc
Applications affected:CIMPLICITY and Proficy Real-Time Information
Portal
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: Unknown
Warning Status: Unknown
Potential Damage: Network DOS
Possible Duration: Unknown
Availability of fix: Available
Type of fix: Patch
Source: US-CERT
Reliability of source: Trusted
Source URL:
http://www.us-cert.gov/current/index.html#ge_fanuc_product_vulnerabiliti
es
Abstract: Description of vulnerabilities in GE Fanuc CIMPLICITY and
Proficy Real-Time Information Portal used in Supervisory Control And
Data Acquisition (SCADA) systems that could allow an attacker to execute
arbitrary code, obtain user credentials, upload and execute arbitrary
files, or cause a denial-of-service condition.
US-CERT encourages users to review the following:
Vulnerability Notes Database
GE Fanuc Proficy Real-Time Information Portal allows arbitrary file
upload and execution (KB12460)
GE Fanuc Proficy Real-Time Information Portal transmits authentication
credentials in plain text (KB12459)
Buffer Overflow Allows Remote Code Execution (KB12458)
Vulnerability Note VU#308556
GE Fanuc CIMPLICITY HMI heap buffer overflow
Overview
GE Fanuc CIMPLICITY HMI contains a remotely accessible heap buffer
overflow vulnerability which may allow a remote attacker to execute
arbitrary code.
I. Description
GE Fanuc CIMPLICITY HMI is software used for monitoring and control in
Supervisory Control And Data Acquisition (SCADA) systems. A heap buffer
overflow vulnerability exists in a CIMPLICITY process (w32rtr.exe) that
listens on the network (32000/tcp). The vulnerable process exists in
both servers and clients. An attacker could exploit this vulnerability
by sending a specially crafted packet to a vulnerable CIMPLICITY system.
Note that this vulnerability affects GE Fanuc CIMPLICITY HMI versions up
to and including version 7.0.
II. Impact
A remote, unauthenticated attacker may be able to execute arbitrary code
or cause a denial of service.
III. Solution
Apply Patch
This vulnerability is addressed in CIMPLICITY 6.1 SP6 Hot fix -
010708_162517_6106 and CIMPLICITY 7.0 SIM 9. CIMPLICITY customers should
refer to GE Fanuc knowledge base article KB2458 for more information.
Upgrade
Users of affected software with versions older than 6.1 are encouraged
to upgrade to 6.1 or greater and then apply the patches described above.
CIMPLICITY customers should refer to GE Fanuc knowledge base article
KB12458 for more information.
Restrict Access
Restrict network access to hosts that require connections to CIMPLICITY.
Do not allow access to CIMPLICITY from untrusted networks such as the
internet.
Systems Affected
Vendor Status Date Updated
GE Fanuc Vulnerable 24-Jan-2008
References
http://www.securityfocus.com/archive/1/487076/30/0/threaded
http://support.gefanuc.com/support/index?page=kbchannel&id=KB12458
http://www.gefanuc.com/as_en/gefanuc/resource_center/hmi_scada/hmiscada_
security.html
Credit
This vulnerability was reported by Eyal Udassin of C4 Security.
This document was written by Chris Taschner.
Other Information
Date Public 24/01/2008
Date First Published 25/01/2008 15:30:28
Date Last Updated 25/01/2008
CERT Advisory
CVE Name CVE-2008-0176
US-CERT Technical Alerts
Metric 3.01
Document Revision 32
*********************************************
Vulnerability Note VU#339345
GE Fanuc Proficy Information Portal allows arbitrary file upload and
execution
Overview
GE Fanuc Proficy Information Portal allows authenticated users to upload
arbitrary files. An attacker could upload an executable server-side
script (e.g., an .asp shell on a Microsoft Internet Information Server
platform) and execute arbitrary commands with the privileges of the web
server.
I. Description
GE Fanuc Proficy Information Portal is a web-based systems reporting
tool often used to consolidate and integrate online and process-based
systems data between Supervisory Control And Data Acquisition (SCADA)
systems and the corporate network. Proficy Information Portal supports
an "Add WebSource" feature that allows authenticated users to upload
arbitrary files to the server. An uploaded file can subsequently be
executed by requesting it with a web browser. This vulnerability affects
GE Fanuc Proficy Information Portal up to and including version 2.6.
II. Impact
By uploading a file that can be executed by the web server (e.g., an
.asp shell), a remote, authenticated attacker may be able to execute
arbitrary code. The attacker could exploit this behavior to access SCADA
networks.
III. Solution
Patch
This vulnerability will be addressed with a Software Improvement Module
(SIM) for PROFICY 2.6. For more information about the availablitiy of
this SIM, Proficy customers should refer to GE Fanuc knowledge base
article KB12460.
Upgrade
Users of affected software with versions older than 2.6 are encouraged
to upgrade to 2.6 or greater and then apply the patches discribed above.
For more information, Proficy customers should refer to GE Fanuc
knowledge base article KB12460.
Restrict Access
Limit network access to hosts that require connections to the portal. Do
not allow access to the portal from untrusted networks such as the
internet.
Filter URLs
Using a reverse HTTP proxy, web server URL filtering, or similar
technology, it may be possible to restrict the names and extensions of
files that can be uploaded to the Proficy Information Portal.
Modify Web Server Permissions
It may be possible to modify web server permissions to prevent file
uploads. This may impact portal functionality.
Systems Affected
Vendor Status Date Updated
GE Fanuc Vulnerable 25-Jan-2008
References
http://www.securityfocus.com/archive/1/487079/30/0/threaded
http://support.gefanuc.com/support/index?page=kbchannel&id=KB12460
Credit
This vulnerability was reported by Eyal Udassin of C4 Security.
This document was written by Chris Taschner.
Other Information
Date Public 24/01/2008
Date First Published 25/01/2008 15:32:45
Date Last Updated 25/01/2008
CERT Advisory
CVE Name CVE-2008-0175
US-CERT Technical Alerts
Metric 0.84
Document Revision 34
*********************************************
Vulnerability Note VU#180876
GE Fanuc Proficy Information Portal transmits authentication credentials
in plain text
Overview
GE Fanuc Proficy Information Portal can transmit authentication
credentials in plain text. An attacker could monitor traffic, obtain
valid credentials, and gain access to the portal.
I. Description
GE Fanuc Proficy Information Portal is a web-based systems reporting
tool often used to consolidate and integrate online and process-based
systems data between Supervisory Control And Data Acquisition (SCADA)
systems and the corporate network. Authentication credentials for the
portal may be sent in an insecure manner. During the login proceedure
usernames are sent to the portal in plaintext and passwords are sent in
Base64 encoded format. An attacker may be able to monitor network
traffic and obtain credentaials to gain unauthorized access to the
portal.
This vulnerability affects GE Fanuc Proficy Information Portal up to and
including version 2.6.
II. Impact
An attacker who can intercept network traffic can obtain authentication
credentials.
III. Solution
Depending on the way the Java RMI applet connects to the portal, it may
be possible to configure more secure authentication mechanisms.
Use SSL
Proficy Portal version 2.5 and up supports the use of Secure Socket
Layer (SSL) connections between the client and server. The SSL protocol
is commonly used to provide authentication, encryption, integrity, and
non-repudiation services via public/private keys and certificates.
Proficy customers should refer to GE Fanuc knowledge base article
KB12459 for more information and configuration instructions.
Enable Integrated Windows Authentication
It may be possible to configure the portal to use domain authentication
so that user credentials are not longer sent in plaintext. According to
GE Fanuc:
If domain security is being utilized, the easiest and perhaps most
secure method of transmitting username and password information is to
enable Windows Authentication within IIS. In this mode, IE and IIS will
negotiate the security mechanism's to use and automatically authenticate
the user logged into the machine running IE from the IIS server. No
password is ever passed between the two computers and therefore cannot
be intercepted. Proficy customers should refer to GE Fanuc knowledge
base article KB12459 and the Microsoft documents in the References
section below for more information.
Restrict Access
Restrict network access to hosts that require connections to the portal.
Do not allow access to the portal from untrusted networks such as the
internet.
Systems Affected
Vendor Status Date Updated
GE Fanuc Vulnerable 24-Jan-2008
References
http://www.securityfocus.com/archive/1/487075/30/0/threaded
http://support.gefanuc.com/support/index?page=kbchannel&id=KB12459
http://support.microsoft.com/kb/324274
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/I
IS/36ea667e-c578-43b5-87fa-a2f174efb27a.mspx
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/i
is/523ae943-5e6a-4200-9103-9808baa00157.mspx
http://www.gefanuc.com/as_en/gefanuc/resource_center/hmi_scada/hmiscada_
security.html
http://java.sun.com/j2se/1.5.0/docs/guide/rmi/socketfactory/SSLInfo.html
http://java.sun.com/j2se/1.5.0/docs/guide/rmi/socketfactory/index.html
Credit
This vulnerability was reported by Eyal Udassin of C4 Security.
This document was written by Chris Taschner.
Other Information
Date Public 24/01/2008
Date First Published 25/01/2008 15:26:36
Date Last Updated 25/01/2008
CERT Advisory
CVE Name CVE-2008-0174
US-CERT Technical Alerts
Metric 0.17
Document Revision 38
________________________________________________________________________
CPNI values your feedback.
1. Which of the following most reflects the value of the advisory to
you?
(Place an 'X' next to your choice)
Very useful:__ Useful:__ Not useful:__
2. If you did not find it useful, why not?
3. Any other comments? How could we improve our advisories?
Thank you for your contribution.
________________________________________________________________________
CSIRTUK wishes to acknowledge the contributions of US-CERT for the
information
contained in this advisory.
________________________________________________________________________
This advisory contains information released by the original author. Some
of the
information may have changed since it was released. If the issue affects
you,
it may be prudent to retrieve the advisory from the site of the original
source to ensure that you receive the most current information
concerning that
problem.
Reference to any specific commercial product, process, or service by
trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its
endorsement, recommendation, or favouring by CPNI. The views and
opinions of
authors expressed within this notice shall not be used for advertising
or
product endorsement purposes.
CPNI shall not accept responsibility for any errors or omissions
contained
within this advisory. In particular, they shall not be liable for any
loss or
damage whatsoever, arising from or in connection with the usage of
information
contained within this advisory.
CSIRTUK is a member of the Forum of Incident Response and Security Teams
(FIRST)
and has contacts with other international Incident Response Teams (IRTs)
in
order to foster cooperation and coordination in incident prevention, to
prompt
rapid reaction to incidents, and to promote information sharing amongst
its
members and the community at large.
________________________________________________________________________
<End of CPNI Advisory>
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBR5/zhyh9+71yA2DNAQIRywP9HSpQMxWcyDHjOYD4f1+vh1RcAwad0fhS
OStfVRE1J4DoXE+xSTlaWt8ym/8X/RrND+TJ0fGVImz2NxU04dJyls6HPvCF+iBr
6tH5KM4uDmZRZsw4ZVNUY0NFTTtUKxC9JvChPvDty5+8xFifVC+wB6pXhObB/Cbg
F7OGfY3VqJg=
=igMN
-----END PGP SIGNATURE-----