ICS-CERT: GE Intelligent Platforms Directory Traversal Vulnerability

Tuesday, March 13, 2012

Infosec Island Admin

7fef78c47060974e0b8392e305f0daf0

ICS-CERT received a report from GE Intelligent Platforms and the Zero Day Initiative (ZDI) concerning a directory traversal vulnerability in the GE Intelligent Platforms Proficy Real-Time Information Portal.

This vulnerability was reported to ZDI by independent security researcher Luigi Auriemma.

If exploited, this vulnerability could allow an attacker to create or overwrite a file on the system running Real-Time Information Portal. GE Intelligent Platforms has created patches to address this issue.

AFFECTED PRODUCTS

According to GE Intelligent Platforms the following product and versions are affected.
Proficy Real-Time Information Portal Versions:

• 3.5
• 3.0 SP1
• 3.0
• 2.6.

Note: Proficy Real-Time Information Portal Versions 2.5 and prior are not affected by this vulnerability.

IMPACT

Exploitation of this vulnerability could allow an attacker to create or overwrite a file on the system running Proficy Real-Time Information Portal.

Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.

BACKGROUND

According to GE, Proficy Real-Time Information Portal is a web-based data visualization and reporting tool that is deployed across multiple industries worldwide.

VULNERABILITY OVERVIEW

A directory traversal vulnerability exists in the Remote Interface Service (rifsrvd.exe) that runs on Port 5159/TCP by default. The Remote Interface Service creates a file on the system and does not sufficiently validate two input strings that are used to create a configuration file on the server.

The vulnerability may allow a remote attacker to:

• Set the file’s name and extension (to create a new file or to overwrite an existing file)
• Supply text that will be inserted into the file.

According to GE, the vulnerability does not allow the attacker to directly execute the file and does not allow the attacker to define the file’s entire contents. CVE-2012-0232 has been assigned to this vulnerability.

EXPLOITABILITY:  This vulnerability is remotely exploitable.

EXISTENCE OF EXPLOIT: No known public exploits specifically target this vulnerability.

DIFFICULTY: An attacker with a moderate skill level may be able to exploit these vulnerabilities.

MITIGATION

GE Intelligent Platforms has released a security advisory and free product update Software Improvement Modules (SIMs) to address this vulnerability in Proficy Real-Time Information Portal Versions 3.5 and 3.0 SP1.

Proficy Real-Time Information Portal customers using Versions 3.0 and 2.6 are encouraged to upgrade to one of the versions described above and apply the appropriate product update. GE Intelligent Platforms urges all customers to follow the recommendations in their security advisory, which can be found here:

Note: A valid GE user ID and Customer Service Number are required to access the advisories and updates. Proficy SIMs are cumulative. All future SIMs will include these updates.

The full ICS-CERT advisory can be found here:

Source:  http://www.us-cert.gov/control_systems/pdf/ICSA-12-032-03.pdf

Possibly Related Articles:
4081
SCADA
Industrial Control Systems
SCADA Vulnerabilities ICS ICS-CERT Industrial Control Systems Directory Traversal GE Intelligent Platforms
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.