GE Fanuc Proficy HMI/SCADA iFIX uses insecure authentication techniques

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                          ESB-2009.0156 -- [Win]
  GE Fanuc Proficy HMI/SCADA iFIX uses insecure authentication techniques
                             17 February 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              GE Fanuc Proficy HMI/SCADA iFIX
Publisher:            US-CERT
Operating System:     Windows
Impact:               Reduced Security
Access:               Remote/Unauthenticated
CVE Names:            CVE-2009-0216

Original Bulletin:    http://www.kb.cert.org/vuls/id/310355

- --------------------------BEGIN INCLUDED TEXT--------------------

Vulnerability Note VU#310355

GE Fanuc Proficy HMI/SCADA iFIX uses insecure authentication techniques

Overview

Vulnerabilities in the way GE Fanuc iFIX handles authentication could 
allow a remote attacker to log on to the system with elevated privileges.

I. Description

GE Fanuc iFIX is SCADA client/server software that includes a Human 
Machine Interface (HMI) componant and runs on Microsoft Windows CE, NT, 
2000, Server 2003, XP, or Vista. Authentication to iFIX is handled 
insecurely. Usernames and passwords are stored on the client in a local 
file. The passwords are obfuscated in this file using a weak encryption 
algorithm. According to GE Fanuc:

      Attackers can gain copies of this file in two ways. The first way 
      requires that an attacker have an interactive session with the 
      computer containing the file, such as a direct login, or through a 
      remote terminal session, VNC, or some other remote session providing 
      access to a command shell. Using the shell, the attacker can simply 
      copy the file and extract the passwords at some later point. Another 
      way an attacker can gain access to this file is by intercepting the 
      file over the network. This can occur if the file is shared between 
      two computers using Microsoft Windows network sharing. In this case, 
      an attacker may be able to recreate the file by using a network 
      sniffer to monitor network traffic between them.

Since iFIX performs authentication in the client, an attacker can modify or 
replace authentication code. According to GE Fanuc:

      Authentication and authorization of users are implemented through 
      certain program modules. These modules can be modified at the binary 
      level to bypass user authentication. To exploit this type of attack, 
      an attacker needs to be able to launch unauthorized applications from 
      an interactive shell.

Furthermore, iFIX may also be susceptible to the Microsoft Windows AutoRun 
issue discussed in TA09-020A. Arbitrary code executed via AutoRun can bypass 
iFIX environment protection and interact directly with Windows, which could 
result in modification or replacement of the authentication modules.

Note that this issue affects versions of GE Fanuc iFIX up to and including 
version 5.0.

II. Impact

An attacker who can access the credentials file or intercept network traffic 
can obtain authentication credntials and gain unauthorized access to iFIX 
systems.

III. Solution

Until a more complete solution is available, consider the workarounds below.

Apply Workarounds

GE Fanuc has released a vendor statement [1] detailing mitigation 
stratigies for this issue. These include:

    * Isolate the iFIX HMI/SCADA network from the corporate network
    * Do not share the iFIX Local directory
    * Configure iFIX nodes as View only
    * Enabled Environment protection
    * Disable AutoRun

Systems Affected

Vendor	        Status	                Date Notified	       Date Updated
GE Fanuc	Vulnerable		2009-02-11

References

http://support.gefanuc.com/support/index?page=kbchannel&id=S:KB13253&actp=search
http://www.us-cert.gov/cas/techalerts/TA09-020A.html
http://www.mcgrewsecurity.com/2009/02/10/ge-fanuc-releases-info-on-ifix-vulnerabilities-vu-310355/

Credit

This issue was reported by Rayford Vaughn and Robert Wesley McGrew at 
Mississippi State University.

This document was written by Chris Taschner.
Other Information
Date Public:	        2009-02-11
Date First Published:	2009-02-11
Date Last Updated:	2009-02-16
CERT Advisory:	 
CVE-ID(s):	        CVE-2009-0216
NVD-ID(s):	        CVE-2009-0216
US-CERT Technical Alerts:	 
Metric:	0.68
Document Revision:	17

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD4DBQFJmfrwNVH5XJJInbgRAgRWAJd6pzM3lYc4DAsJmgDYEBWB6EA4AJ9LRApN
oSvcusX8K7znyEyVq3ZDNg==
=GjmL
-----END PGP SIGNATURE-----