Positive Technologies has announced it has found three vulnerabilities in GE SCADA software which can allow for the interception and abuse of passwords by criminals. The vulnerabilities, CVE-2016-9360, have been given the CVSS v3 score 6.4.
The first vulnerability makes it possible for an attacker to access legitimate sessions and intercept user passwords locally. Ilya Karpov from Positive Technologies claimed the vulnerabilities could permit criminals the ability to disrupt process flow at thousands of plants all over the world.
This vulnerability is found in General Electric's Proficy HMI/SCADA iFIX 5.8 SIM 13, Proficy HMI/SCADA CIMPLICITY 9.0 and Proficy Historian 6.0. All previous versions are also vulnerable.
Another flaw makes it possible for an attacker with local access to obtain industrial database passwords, after a few tweaks. iFIX 5.8 (Build 8255) and previous builds are exposed to this defect.
In the third vulnerability, industrial database Proficy Historian Administrator 126.96.36.199 makes it possible for a local attacker to block the authorisation of the application in the real-time database, either causing a failure at reading and recording history or database inoperability.
Moreover, Positive Technologies also discovered a critical fault in a security mechanism of all three systems related to use of standard passwords at network access authorisation. This allows remote access to industrial process control.
A motivated attacker could use the vulnerabilities discovered to change factory and utilities processes, damaging and breaking equipment and leading to economic loss and wide-scale service outages.
To eliminate the above mentioned vulnerabilities, Proficy HMI/SCADA iFIX needs to be updated to version 5.8 SIM 14, Proficy HMI/SCADA CIMPLICITY to version 9.5 and Proficy Historian to version 7.0.
“If user passwords are available in clear text, this may result in an attacker taking control of the SCADA system,” says Ilya Karpov, head of the ICS research and audit department at Positive Technologies.
Karpov added, “Upon standard authorisation in the system, the attacker can seriously influence a process, which may cause not only economic losses but also equipment damage or breakdown. If an attacker or malware obtains a password to a database, they can illegitimately modify it, creating various emergencies and loss of history data necessary for investigation.”
ICS-CERT has recommended that users take defensive measures to minimise the risk of exploitation of this vulnerability.
Specifically it says users should:
- Minimise network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognising that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognise that VPN is only as secure as the connected devices.