Independent researcher Andrea Micalizzi has identified a command injection vulnerability in a third-party HTML help application used by some GE Intelligent Platforms Proficy products.
While analyzing this report, GE identified a stack-based buffer overflow vulnerability that also existed in the same component. These vulnerabilities were coordinated through the Zero Day Initiative (ZDI). A remote attacker could exploit these vulnerabilities.
GE Intelligent Platforms has provided a tool to remove the unnecessary ActiveX component that introduced these vulnerabilities.
The following GE Intelligent Platforms products are affected:
• Proficy Historian: Versions 4.5, 4.0, 3.5, and 3.1
• Proficy HMI/SCADA – iFIX: Versions 5.1 and 5.0
• Proficy Pulse: Version 1.0
• Proficy Batch Execution: Version 5.6
• SI7 I/O Driver: Versions between 7.20 and 7.42
By luring a user into visiting a malicious website, an attacker could exploit these vulnerabilities to execute arbitrary code on the client or place or replace files on the client.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.
According to GE, Proficy is automation and operations management software that is deployed across multiple industries worldwide.
STACK-BASED BUFFER OVERFLOW: A remote stack-based buffer overflow condition exists in the KeyHelp.ocx control because it fails to perform adequate boundary checks on user-supplied input. CVE-2012-2515 has been assigned to this vulnerability. According to the researcher, a CVSS V2 Base score of 7.5 has been assigned.
IMPROPER NEUTRALIZTION OF SPECIAL ELEMENTS: A remote command injection vulnerability exists in the KeyHelp.ocx control because it fails to restrict or perform adequate validation on user-supplied input. CVE-2012-2516 has been assigned to this vulnerability.
EXPLOITABILITY: These vulnerabilities are remotely exploitable.
EXISTENCE OF EXPLOIT: No known public exploits specifically target these vulnerabilities.
DIFFICULTY: An attacker with a medium skill would be able to exploit these vulnerabilities with the use of social engineering.
GE Intelligent Platforms recommends that the KeyHelp.ocx ActiveX control be unregistered and deleted to eliminate these vulnerabilities. GE Intelligent Platforms has recommended specific control removal instructions for each of the affected products to ensure that it continues to function properly once the control is removed. Please see their instructions at the following location:
A username and password may be required.
The full ICS-CERT advisory can be found here: