SCADA Vulnerabilities & Exposures (SVE)

CRITIFENCE® SCADA Vulnerabilities and Exposures Database (SVE)

[SVE-323206132] GE Proficy HMI SCADA CIMPLICITY Privilege Management Vulnerability

Date Type Platform Author EDB-ID CVE-ID OSVDB-ID Download App SIS Signature
2016-07-12HMIGeneral Electric CIMPLICITYZhou YuN/A2016-5787N/AN/AN/A

Source

						
							
								
#
# GE Proficy HMI SCADA CIMPLICITY Privilege Management Vulnerability
#


### OVERVIEW

Zhou Yu of Acorn Network Security identified an improper privilege management vulnerability and recently released exploit code for the GE Proficy HMI/SCADA CIMPLICITY application without coordination with ICS-CERT, the vendor, or any other coordinating entity known to ICS-CERT. GE produced a new version to mitigate this vulnerability in August 2014.

Exploits that target this vulnerability are known to be publicly available.




### AFFECTED PRODUCTS

The following Proficy HMI/SCADA-CIMPLICITY versions are affected:

CIMPLICITY Version 8.2, SIM 26 or earlier.






### IMPACT

Successful exploitation of the vulnerability may allow an authenticated user on the system to modify the configuration of the CIMPLICITY service and launch any executable on the system as a service.

Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.






### BACKGROUND

GE is a US-based company that maintains offices in several countries around the world.

The affected product, Proficy HMI/SCADA-CIMPLICITY, is a Client/Server-based human-machine interface/supervisory control and data acquisition (HMI/SCADA) application. According to GE, Proficy HMI/SCADA-CIMPLICITY is deployed across several sectors.





### VULNERABILITY CHARACTERIZATION


# VULNERABILITY OVERVIEW

IMPROPER PRIVILEGE MANAGEMENT

Vulnerable versions may allow users to modify the CIMPLICITY service to edit the configuration of a service.
CVE-2016-5787 has been assigned to this vulnerability. A CVSS v3 base score of 5.7 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L).





### VULNERABILITY DETAILS


# EXPLOITABILITY

This vulnerability is not exploitable remotely and cannot be exploited without user interaction. The exploit is only triggered when a local user runs the vulnerable application and loads a malicious file.

# EXISTENCE OF EXPLOIT

Exploits that target this vulnerability are publicly available.


# DIFFICULTY

An attacker with a low skill would be able to exploit this vulnerability. Social engineering is required to convince the user to accept a malicious file. Additional user interaction is needed to load the malformed file. This decreases the likelihood of a successful exploit.




### MITIGATION

In response to a recent public disclosure of proof-of-concept exploit code, GE has released a notification to its users of the identified vulnerability in an older version of the Proficy HMI/SCADA-CIMPLICITY application, along with the mitigation. GE's notification is available at the following location:

https://ge-ip.force.com/communities/en_US/Article/GE-Digital-Security-Advisory-GED-16-01

In August 2014, GE released a new version of Proficy HMI/SCADA-CIMPLICITY, Version 8.2, Sim 27 that mitigated the identified vulnerability, which is available at the following location with a valid account:

https://ge-ip.force.com/communities/en_US/Download/CIMPLICITY-8-2-SIM-27-DN

GE recommends that users upgrade to Proficy HMI/SCADA-CIMPLICITY, Version 8.2, SIM 27 or later versions. The latest version of CIMPLICITY Version 8.2 SIM 43, is available at the following location, with a valid account:

https://ge-ip.force.com/communities/en_US/Download/CIMPLICITY-8-2-SIM-43