Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.0156 -- [Win] GE Fanuc Proficy HMI/SCADA iFIX uses insecure authentication techniques 17 February 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: GE Fanuc Proficy HMI/SCADA iFIX Publisher: US-CERT Operating System: Windows Impact: Reduced Security Access: Remote/Unauthenticated CVE Names: CVE-2009-0216 Original Bulletin: http://www.kb.cert.org/vuls/id/310355 - --------------------------BEGIN INCLUDED TEXT-------------------- Vulnerability Note VU#310355 GE Fanuc Proficy HMI/SCADA iFIX uses insecure authentication techniques Overview Vulnerabilities in the way GE Fanuc iFIX handles authentication could allow a remote attacker to log on to the system with elevated privileges. I. Description GE Fanuc iFIX is SCADA client/server software that includes a Human Machine Interface (HMI) componant and runs on Microsoft Windows CE, NT, 2000, Server 2003, XP, or Vista. Authentication to iFIX is handled insecurely. Usernames and passwords are stored on the client in a local file. The passwords are obfuscated in this file using a weak encryption algorithm. According to GE Fanuc: Attackers can gain copies of this file in two ways. The first way requires that an attacker have an interactive session with the computer containing the file, such as a direct login, or through a remote terminal session, VNC, or some other remote session providing access to a command shell. Using the shell, the attacker can simply copy the file and extract the passwords at some later point. Another way an attacker can gain access to this file is by intercepting the file over the network. This can occur if the file is shared between two computers using Microsoft Windows network sharing. In this case, an attacker may be able to recreate the file by using a network sniffer to monitor network traffic between them. Since iFIX performs authentication in the client, an attacker can modify or replace authentication code. According to GE Fanuc: Authentication and authorization of users are implemented through certain program modules. These modules can be modified at the binary level to bypass user authentication. To exploit this type of attack, an attacker needs to be able to launch unauthorized applications from an interactive shell. Furthermore, iFIX may also be susceptible to the Microsoft Windows AutoRun issue discussed in TA09-020A. Arbitrary code executed via AutoRun can bypass iFIX environment protection and interact directly with Windows, which could result in modification or replacement of the authentication modules. Note that this issue affects versions of GE Fanuc iFIX up to and including version 5.0. II. Impact An attacker who can access the credentials file or intercept network traffic can obtain authentication credntials and gain unauthorized access to iFIX systems. III. Solution Until a more complete solution is available, consider the workarounds below. Apply Workarounds GE Fanuc has released a vendor statement [1] detailing mitigation stratigies for this issue. These include: * Isolate the iFIX HMI/SCADA network from the corporate network * Do not share the iFIX Local directory * Configure iFIX nodes as View only * Enabled Environment protection * Disable AutoRun Systems Affected Vendor Status Date Notified Date Updated GE Fanuc Vulnerable 2009-02-11 References http://support.gefanuc.com/support/index?page=kbchannel&id=S:KB13253&actp=search http://www.us-cert.gov/cas/techalerts/TA09-020A.html http://www.mcgrewsecurity.com/2009/02/10/ge-fanuc-releases-info-on-ifix-vulnerabilities-vu-310355/ Credit This issue was reported by Rayford Vaughn and Robert Wesley McGrew at Mississippi State University. This document was written by Chris Taschner. Other Information Date Public: 2009-02-11 Date First Published: 2009-02-11 Date Last Updated: 2009-02-16 CERT Advisory: CVE-ID(s): CVE-2009-0216 NVD-ID(s): CVE-2009-0216 US-CERT Technical Alerts: Metric: 0.68 Document Revision: 17 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD4DBQFJmfrwNVH5XJJInbgRAgRWAJd6pzM3lYc4DAsJmgDYEBWB6EA4AJ9LRApN oSvcusX8K7znyEyVq3ZDNg== =GjmL -----END PGP SIGNATURE-----