SCADA Vulnerabilities & Exposures (SVE)

CRITIFENCE® SCADA Vulnerabilities and Exposures Database (SVE)

[SVE-567917187] GE Bently Nevada 3500/22M Improper Authorization Vulnerability

Date Type Platform Author EDB-ID CVE-ID OSVDB-ID Download App SIS Signature
2016-10-06OTHERGE Bently Nevada 3500/22MGEN/A2016-5788N/AN/AN/A

Source

						
							
								
#
# GE Bently Nevada 3500/22M Improper Authorization Vulnerability
#


### OVERVIEW

This advisory was originally posted to the US-CERT secure Portal library on September 8, 2016, and is being released to the NCCIC/ICS-CERT web site.

GE has identified an improper authorization vulnerability in the GE Bently Nevada 3500/22M monitoring system. GE has produced a new firmware version to mitigate this vulnerability in the USB version of the GE Bently Nevada 3500/22M monitoring system.

This vulnerability could be exploited remotely.




### AFFECTED PRODUCTS

The following GE Bently Nevada 3500/22M firmware versions are affected:

* GE Bently Nevada 3500/22M (USB version), all versions prior to firmware Version 5.0, and
* GE Bently Nevada 3500/22M (serial version), all versions.






### IMPACT

Successful exploitation of the identified vulnerability may allow a remote attacker to gain unauthorized access to the affected device with elevated privileges.

Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.






### BACKGROUND

GE Bently Nevada is a wholly owned subsidiary of GE, a US-based company that maintains offices in several countries around the world.

The affected product, GE Bently Nevada 3500/22M, is a vibration monitoring system. According to GE, the GE Bently Nevada 3500/22M is deployed across several sectors including Chemical and Energy. GE estimates that these products are used worldwide.





### VULNERABILITY CHARACTERIZATION


# VULNERABILITY OVERVIEW

IMPROPER AUTHORIZATION

Several open ports have been identified on the affected device, which allow unauthorized access to the device with elevated privileges.
CVE-2016-5788 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).






### VULNERABILITY DETAILS


# EXPLOITABILITY

This vulnerability could be exploited remotely.


# EXISTENCE OF EXPLOIT

No known public exploits specifically target this vulnerability.


# DIFFICULTY

An attacker with a low skill would be able to exploit this vulnerability.





### MITIGATION

GE has released a new firmware version for the GE Bently Nevada 3500/22M TDI USB monitoring system, Version 5.0. GE's new firmware can only be applied to the USB version of the GE Bently Nevada 3500/22M monitoring system. 

Users registered with a GE Bently Nevada Technical Support Agreement can download Version 5.0 and access GE's Technical Information Letter (TIL-149700250) detailing further mitigation strategies at the following URL with a valid account:

http://www.bntechsupport.com

GE recommends that users using the serial version of the GE Bently Nevada 3500/22M upgrade the affected device.


Users who are concerned about the security of their GE Bently Nevada 3500 System should:

* Employ system hardening techniques for GE Bently Nevada's 3500 System as outlined in document 106M9733 - 3500 Hardening Guideline. This document is available through www.bntechsupport.com

* Contact GE Bently Nevada for information regarding installations compliant to IEC 62443-2-4 Level 1.

* Implement a bump-in-the-wire solution to provide secure communication between endpoints, which may enhance security.

* Effectively segment networks and implement demilitarized zones (DMZs) with properly configured firewalls to selectively control and monitor traffic passed between zones.