General Electric (GE) has mitigation details for multiple vulnerabilities that impact its Intelligent Platforms Proficy HMI/SCADA—CIMPLICITY, according to a report on ICS-CERT.
GE has addressed the two remotely exploitable vulnerabilities: A directory transversal vulnerability and improper input validation vulnerability.
GE released two security advisories (GEIP12-13 and GEIP12-19) available on the GE Intelligent Platforms support Web site to inform users about these vulnerabilities.
The following GE Intelligent Platforms products suffer from the issue:
• Proficy HMI/SCADA – CIMPLICITY: Version 4.01 and greater, and
• Proficy Process Systems with CIMPLICITY.
If an attacker exploits the vulnerabilities, they could allow an unauthenticated remote attacker to cause the CIMPLICITY built-in Web server to crash or to run arbitrary commands on a server running the affected software, or could potentially allow an attacker to take control of the CIMPLICITY server.
An attacker can exploit the vulnerabilities by sending specially crafted HTTP requests to the listening service. The attacks do not require authentication and can occur remotely. The vulnerable components are not enabled by default.
CVE-2013-0654 is the number assigned to this vulnerability, which has a CVSS v2 base score of 8.8.
There are no known exploits specifically target these vulnerabilities. An attacker with a low skill would be able to exploit these vulnerabilities.