GE has new software to mitigate multiple vulnerabilities in its MDS PulseNET and MDS PulseNET Enterprise, according to a report with NCCIC.
The vulnerabilities are an improper authentication, improper restriction of XML external entity reference and a relative path traversal.
Exploitation of these remotely exploitable vulnerabilities, discovered by rgod who reported them to the Zero Day Initiative (ZDI), may allow elevation of privilege and exfiltration of information on the host platform.
The vulnerabilities affect the following MDS PulseNET products:
• PulseNET Version 3.2.1 and prior
• PulseNET Enterprise Version 3.2.1 and prior
In one vulnerability, Java Remote Method Invocation (RMI) input port may be exploited to allow unauthenticated users to launch applications and support remote code execution through Web Services.
CVE-2018-10611 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.
In addition, multiple variants of XML External Entity (XXE) attacks may be used to exfiltrate data from the host Windows platform.
CVE-2018-10613 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
Also, a directory traversal may lead to files being exfiltrated or deleted on the host platform.
CVE-2018-10615 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.3.
The products see use mainly in the energy and water and wastewater systems sectors. They are also deployed on a global basis.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
GE modified the product architecture and software of PulseNET. The latest version mitigates these specific vulnerabilities. GE encourages users to update PulseNET to Version 4.1 or newer to eliminate these vulnerabilities.
Click here for updates for PulseNET
Click here for updates to PulsetNET Enterprise
In addition, GE recommends securing the PulseNET server using a defense in depth approach. Some key security considerations when deploying the PulseNET application include ensuring:
• Electronic and physical access to the PulseNET server is limited to only authorized individuals and clients
• The host server is dedicated to the PulseNET application only
• The PulseNET server is not accessible from the Internet
• The principle of least privilege is applied to the host operating system
• The PulseNET server is appropriately hardened and maintained to the current patch level as prescribed by the OEM
• The PulseNET server is restricted to communicating with MDS hosts only
GE published a product bulletin with mitigation for these vulnerabilities on their webpage. (login required).