A new tool is available to remove the issue that caused a command injection vulnerability in a third-party HTML help application used by some GE Intelligent Platforms Proficy products, according to a report with ICS-CERT.
In addition, while analyzing this report, GE identified a stack-based buffer overflow vulnerability that also existed in the same component. These remotely exploitable vulnerabilities ended up coordinated through the Zero Day Initiative (ZDI). Independent researcher Andrea Micalizzi found the initial vulnerability.
GE Intelligent Platforms created the tool that will remove the unnecessary ActiveX component that introduced these vulnerabilities.
The following GE Intelligent Platforms products suffer from the issue:
• Proficy Historian: Versions 4.5, 4.0, 3.5, and 3.1
• Proficy HMI/SCADA – iFIX: Versions 5.1 and 5.0
• Proficy Pulse: Version 1.0
• Proficy Batch Execution: Version 5.6
• SI7 I/O Driver: Versions between 7.20 and 7.42.
By luring a user into visiting a malicious website, an attacker could exploit these vulnerabilities to execute arbitrary code on the client or place or replace files on the client. An attacker with a medium skill would be able to exploit these vulnerabilities with the use of social engineering.
Proficy is automation and operations management software deployed across multiple industries worldwide, GE said.
A remote stack-based buffer overflow condition exists in the KeyHelp.ocx control because it fails to perform adequate boundary checks on user-supplied input. CVE-2012-2515 is the number assigned to this vulnerability, which has a CVSS V2 Base score of 7.5.
A remote command injection vulnerability exists in the KeyHelp.ocx control because it fails to restrict or perform adequate validation on user-supplied input. CVE-2012-2516 is the number assigned to this vulnerability.
GE Intelligent Platforms recommends to unregister and delete the KeyHelp.ocx ActiveX control to eliminate these vulnerabilities. GE Intelligent Platforms recommended specific control removal instructions for each of the affected products to ensure it continues to function properly once the user removes the control. Click here for GE’s instructions. The user may need a username and password.