GE created new versions to mitigate an insufficiently protected credentials vulnerability in Proficy Human-Machine Interface/Supervisory Control and Data Acquisition (HMI/SCADA) iFIX, Proficy HMI/SCADA CIMPLICITY, and Proficy Historian software, according to a report with ICS-CERT.
Successful exploitation of this vulnerability may allow an attacker to retrieve user passwords. This vulnerability ended up discovered by Ilya Karpov of Positive Technologies.
The following GE products suffer from the issue:
• Proficy HMI/SCADA iFIX Version 5.8 SIM 13 and prior versions
• Proficy HMI/SCADA CIMPLICITY Version 9.0 and prior versions
• Proficy Historian Version 6.0 and prior versions
GE is a U.S.-based company that maintains offices in several countries around the world.
The affected product, Proficy HMI/SCADA iFIX, is a HMI/SCADA application. Proficy HMI/SCADA-CIMPLICITY is a client/server-based HMI/SCADA application. Proficy Historian is a data historian that collects, archives, and distributes production information. These products end up deployed across multiple sectors worldwide. GE Digital, GE’s Automation and Control business, and GE’s resellers and distributors sell the product. GE estimates these products see use on a global basis.
In terms of the vulnerability, an attacker may be able to retrieve user passwords if he or she has access to an authenticated session.
CVE-2016-9360 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.4.
This vulnerability is not exploitable remotely and cannot end up exploited without user interaction.
No known public exploits specifically target this vulnerability. In addition, an attacker with high skill would be able to exploit this vulnerability.
GE released new product versions with new product names to address the identified vulnerability in the affected products. GE released the iFIX software, Version 5.8 SIM 14, which is available at the following location.
GE has also released a new version of the CIMPLICITY software, Version 9.5, and the Historian, Version 7.0, which are available by contacting a GE Digital representative. Click here for contact information for GE.
GE released a new version of the Historian software, Version 5.5 SIM 37
GE released a new version of the HMI/SCADA iFIX 5.8 SIM 14
GE released a new version of the HMI/SCADA iFIX software, Version 5.5. iFIX users with versions earlier than Version 5.5 who cannot upgrade can call GE Support.
GE released a new version of the CIMPLICITY software, Version 8.2 SIM 49
GE released a new version of the CIMPLICITY software, Version 9.0 SIM 22
GE Digital recommended all users upgrade to GE HMI/SCADA CIMPLICITY 9.5. For users unable to upgrade to GE HMI/SCADA CIMPLICITY 9.5, the following steps may mitigate the risks described above:
• Enable project configuration security and limit the number of users that have access to the workbench to only those that need to configure the project
• Enable Windows domain authentication so that CIMPLICITY users’ passwords are not stored in CIMPLICITY