GE created an update that mitigates a memory access violation vulnerability in its CIMPLICITY CimView application, according to a report on ICS-CERT.
GE’s Proficy HMI/SCADA–CIMPLICITY, Version 8.2 and prior suffer from the vulnerability, discovered by Independent researcher Said Arfi.
If this vulnerability ends up exploited, it could allow an attacker to execute arbitrary commands on a system running the affected software.
GE is a U.S.-based company that maintains offices in several countries around the world.
The affected product, Proficy HMI/SCADA–CIMPLICITY, is a Client/Server-based human-machine interface/supervisory control and data acquisition (HMI/SCADA) application. According to GE, Proficy HMI/SCADA–CIMPLICITY sees action across multiple industries.
A vulnerability exists in CIMPLICITY CimView and CIMPLICITY CimEdit components in the way they process information stored in the CIMPLICITY screen (.CIM) files. A specially crafted .CIM file could potentially lead to a memory access violation and arbitrary code execution.
CVE-2014-2355 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 6.6.
This vulnerability is not exploitable remotely and it needs some user interaction to suffer an exploit. No known public exploits specifically target this vulnerability. An attacker with a moderate skill would be able to exploit this vulnerability.
GE recommends asset owners apply product updates to Proficy HMI/SCADA–CIMPLICITY Versions 8.1 and 8.2. The following product updates address the memory access violation vulnerability:
In cases where upgrading is not feasible, GE advises asset owners using CIMPLICITY versions prior to 8.1 to consider using the following recommendations that may mitigate or eliminate the impact of the vulnerability:
• Take steps to properly secure and protect stored CIMPLICITY screen files (.CIM)
• Avoid using .CIM files received from unknown sources
• Avoid sending unprotected .CIM files over unencrypted networks or public Internet
• Consider using a strong hashing algorithm to validate integrity of created .CIM files and ensure they have not been tampered with over time