GE created a new version to mitigate an improper privilege management vulnerability for the Proficy HMI/SCADA CIMPLICITY application, according to a report on ICS-CERT.
Exploits that target this vulnerability, discovered by Zhou Yu of Acorn Network Security who also released exploit code without coordination with ICS-CERT, the vendor, or any other coordinating entity, are known to be publicly available.
CIMPLICITY Version 8.2, SIM 26 or earlier suffer from the issue.
Successful exploitation of the vulnerability may allow an authenticated user on the system to modify the configuration of the CIMPLICITY service and launch any executable on the system as a service.
GE is a U.S.-based company that maintains offices in several countries around the world.
The affected product, Proficy HMI/SCADA–CIMPLICITY, is a Client/Server-based human-machine interface/supervisory control and data acquisition (HMI/SCADA) application. Proficy HMI/SCADA–CIMPLICITY sees action across several sectors.
Vulnerable versions may allow users to modify the CIMPLICITY service to edit the configuration of a service.
CVE-2016-5787 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.7.
This vulnerability is not exploitable remotely and cannot end up leveraged without user interaction. The exploit only triggers when a local user runs the vulnerable application and loads a malicious file.
An attacker with a low skill would be able to exploit this vulnerability. Social engineering is mandatory to convince the user to accept a malicious file. Additional user interaction would end up needed to load the malformed file. This decreases the likelihood of a successful exploit.
In response to a public disclosure of proof-of-concept exploit code, GE released a notification to its users of the identified vulnerability in an older version of the Proficy HMI/SCADA–CIMPLICITY application, along with the mitigation.
In August 2014, GE released a new version of Proficy HMI/SCADA–CIMPLICITY, Version 8.2, Sim 27 that mitigated the identified vulnerability.
GE recommends users upgrade to Proficy HMI/SCADA–CIMPLICITY, Version 8.2, SIM 27 or later versions. The latest version of CIMPLICITY Version 8.2 SIM 43.