General Electric (GE) has a new version to mitigate an XXE vulnerability in its Proficy GDS, according to a report with NCCIC.
Successful exploitation of this remotely exploitable vulnerability, discovered by Vladimir Dashchenko of Kaspersky Lab, could allow an attacker to initiate an OPC UA session and retrieve an arbitrary file.
The following versions of GE Cimplicity ship with the affected GDS service:
• Cimplicity 9.0 R2
• Cimplicity 9.5
• Cimplicity 10.0
An XXE injection vulnerability leads to path traversal inside the Proficy server. An attacker may be able to initiate an OPC UA session and retrieve an arbitrary file from the targeted system.
CVE-2018-15362 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.2.
The product sees use in the chemical, critical manufacturing, dams, energy, food and agriculture, government facilities, transportation systems, and water and wastewater systems. The product sees action on a global basis.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
GE recommends users update to Version 2.1 or newer (Login required).
GE released a security advisory.