GE released new software to mitigate a stack-based buffer overflow in its CIMPLICITY product, according to a report with ICS-CERT.
An HMI/SCADA management platform, CIMPLICITY versions 9.0 and prior suffer from the remotely exploitable vulnerability, discovered by David Atch of CyberX.
Successful exploitation of this vulnerability could cause the device the attacker is accessing to crash; a buffer overflow condition may allow arbitrary remote code execution.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
In the vulnerability, a function reads a packet to indicate the next packet length. The next packet length is not verified, allowing a buffer overwrite that could lead to an arbitrary remote code execution.
CVE-2017-12732 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.
The product sees use mainly in the chemical, critical manufacturing, dams, energy, food and agriculture, government facilities, transportation systems and water and wastewater systems sectors. It also sees action on a global basis.
GE released CIMPLICITY software Version 9.5 and recommends users update to that version or the latest version. The Series 90 TCP/IP communications support has been deprecated and users are encouraged to use the “convert to triplex” application tool, which has been available since CIMPLICITY Version 8.0, to obtain communication support if needed.
Documentation and information on procedures, as well as the upgrade to Version 9.5, can be located at this location (login required).