Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Several Vulnerabilities Found in GE Power Meter Software

The GE Communicator software is affected by several vulnerabilities, including the presence of hardcoded credentials and privilege escalation flaws, ICS-CERT revealed last week.

The GE Communicator software is affected by several vulnerabilities, including the presence of hardcoded credentials and privilege escalation flaws, ICS-CERT revealed last week.

GE Communicator is designed for configuring and commissioning General Electric power meters. The tool is used by electric utilities, large manufacturers and other types of organizations around the world.

Reid Wightman, a senior vulnerability researcher with industrial cybersecurity firm Dragos, discovered that GE Communicator is affected by a total of five vulnerabilities.

Wightman told SecurityWeek that the flaws can allow an attacker to gain admin rights to a workstation running the GE Communicator software, but exploitation requires either network access to the workstation (and Windows firewall settings that allow inbound network connections), or local logon access to the workstation with regular user privileges.

Remote exploitation from the internet could also be possible, but it’s unlikely, Wightman said, as this is engineering workstation software that typically runs on company laptops and lab workstations where the services are not directly exposed.

One of the vulnerabilities is related to the existence of two backdoor accounts with hardcoded credentials. They can allow a malicious actor to take control of the application’s database, but ICS-CERT says exploitation is prevented if the default Windows firewall settings are in place.

Another security hole allows a user with non-administrative privileges to plant a malicious file in the installation folder, giving them admin privileges during the installation or upgrade process. A similar weakness allows an attacker with non-admin permissions to elevate privileges by replacing the GE Communicator uninstaller with a malicious file.

Learn More About ICS Flaws at SecurityWeek’s 2019 ICS Cyber Security Conference

ICS-CERT said another flaw can be exploited to manipulate widgets and user interface elements by planting a specially crafted file in the application’s working directory.

The last vulnerability involves a service running with system privileges, which can be leveraged by a user with low privileges to perform certain administrative actions. An attacker can use this to execute scheduled scripts with admin permissions. Similar to the first vulnerability, exploitation of this weakness is prevented if the Windows firewall is enabled with default settings.

Four of the five vulnerabilities have been assigned CVSS scores that put them in the “high severity” category. However, Wightman says he does not see these issue as being critical.

“They are typical of engineering software that has not been through a rigorous security review,” he said. “Most engineering software on control systems networks will have similar issues, regardless of the vendor.”

GE patched these vulnerabilities with the release of GE Communicator 4.0.517. Wightman said it took the company nearly 7 months to fix the flaws.

According to Wightman, organizations can also prevent exploitation by restricting access to TCP ports 1233 (RPC endpoint for the MeterManager Scheduler Service) and 5433 (database server)

“These services are blocked by the default configuration of Windows, however engineers may accidentally or intentionally disable the standard Windows firewall,” Wightman explained. “This happens frequently when troubleshooting communications issues. We recommend ensuring that the these services are restricted by both the host firewall, and any perimeter firewalls that a utility might run.”

Related: Critical Flaw in GE Protection Relays Exposes Power Grid

Related: GE Machine Monitoring System Plagued by Serious Flaw

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.