Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

GE SCADA Product Vulnerabilities Show Importance of Secure Configurations

GE Digital has released patches and mitigations for two high-severity vulnerabilities affecting its Proficy CIMPLICITY HMI/SCADA software, which is used by plants around the world to monitor and control operations.

GE Digital has released patches and mitigations for two high-severity vulnerabilities affecting its Proficy CIMPLICITY HMI/SCADA software, which is used by plants around the world to monitor and control operations.

The flaws were found by industrial cybersecurity firm OTORIO, which this week published a brief blog post describing the issues. GE and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have released separate advisories for each of the vulnerabilities.GE patches vulnerabilities in Proficy CIMPLICITY SCADA software

One of the security holes, tracked as CVE-2022-23921, can be exploited for privilege escalation and remote code execution. However, successful exploitation requires access to the device running Proficy CIMPLICITY and the targeted server must not be running a project and it must be licensed for multiple projects. GE has released an update that should patch this vulnerability.

“CVE-2022-23921 may allow an attacker with a limited access to the CIMPLICITY server to escalate privileges by dropping a malicious file within the CIMPLICITY runtime project,” Matan Dobrushin, VP of research at OTORIO, told SecurityWeek.

The second issue, identified as CVE-2022-21798, is related to the transmission of credentials in clear text. An attacker who can capture the credentials through a man-in-the-middle (MitM) attack can use them to authenticate to the HMI and obtain information about alerts and other parts of the system. GE said an attacker — in some cases — may also be able to change values in the system.

Learn More About Vulnerabilities in Industrial Products at SecurityWeek’s ICS Cyber Security Conference

“Given CIMPLICITY’s central role in OT environments, the two vulnerabilities introduce a huge disruptive impact potential on this operational server. We can assume that if and when attackers establish a foothold in the network, CIMPLICITY will be on top of their list,” OTORIO warned in its blog post.

GE said users can prevent exploitation of CVE-2022-21798 by enabling encrypted communications. In fact, OTORIO noted that both vulnerabilities can be mitigated if the server has a secure configuration. The company noted, however, that this is often not the case.

[ READ: Here’s How Flaws in GE Relays Could Be Exploited in Real World Attacks ]

Advertisement. Scroll to continue reading.

This is not the first time OTORIO has looked into the security of GE CIMPLICITY. The company last year released an open source hardening tool designed to help organizations secure their GE CIMPLICITY systems. GE has also advised customers to use the OTORIO tool.

It’s important that industrial organizations do not ignore these types of vulnerabilities. CIMPLICITY products have been targeted as part of sophisticated attacks linked to state-sponsored threat actors.

Related: InHand Router Flaws Could Expose Many Industrial Companies to Remote Attacks

Related: Over 100 GE Healthcare Devices Affected by Critical Vulnerability

Related: Profinet Vulnerability Exposes Siemens, Moxa Devices to DoS Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.