The GE Communicator software is affected by several vulnerabilities, including the presence of hardcoded credentials and privilege escalation flaws, ICS-CERT revealed last week.
GE Communicator is designed for configuring and commissioning General Electric power meters. The tool is used by electric utilities, large manufacturers and other types of organizations around the world.
Reid Wightman, a senior vulnerability researcher with industrial cybersecurity firm Dragos, discovered that GE Communicator is affected by a total of five vulnerabilities.
Wightman told SecurityWeek that the flaws can allow an attacker to gain admin rights to a workstation running the GE Communicator software, but exploitation requires either network access to the workstation (and Windows firewall settings that allow inbound network connections), or local logon access to the workstation with regular user privileges.
Remote exploitation from the internet could also be possible, but it’s unlikely, Wightman said, as this is engineering workstation software that typically runs on company laptops and lab workstations where the services are not directly exposed.
One of the vulnerabilities is related to the existence of two backdoor accounts with hardcoded credentials. They can allow a malicious actor to take control of the application’s database, but ICS-CERT says exploitation is prevented if the default Windows firewall settings are in place.
Another security hole allows a user with non-administrative privileges to plant a malicious file in the installation folder, giving them admin privileges during the installation or upgrade process. A similar weakness allows an attacker with non-admin permissions to elevate privileges by replacing the GE Communicator uninstaller with a malicious file.
Learn More About ICS Flaws at SecurityWeek’s 2019 ICS Cyber Security Conference
ICS-CERT said another flaw can be exploited to manipulate widgets and user interface elements by planting a specially crafted file in the application’s working directory.
The last vulnerability involves a service running with system privileges, which can be leveraged by a user with low privileges to perform certain administrative actions. An attacker can use this to execute scheduled scripts with admin permissions. Similar to the first vulnerability, exploitation of this weakness is prevented if the Windows firewall is enabled with default settings.
Four of the five vulnerabilities have been assigned CVSS scores that put them in the “high severity” category. However, Wightman says he does not see these issue as being critical.
“They are typical of engineering software that has not been through a rigorous security review,” he said. “Most engineering software on control systems networks will have similar issues, regardless of the vendor.”
GE patched these vulnerabilities with the release of GE Communicator 4.0.517. Wightman said it took the company nearly 7 months to fix the flaws.
According to Wightman, organizations can also prevent exploitation by restricting access to TCP ports 1233 (RPC endpoint for the MeterManager Scheduler Service) and 5433 (database server)
“These services are blocked by the default configuration of Windows, however engineers may accidentally or intentionally disable the standard Windows firewall,” Wightman explained. “This happens frequently when troubleshooting communications issues. We recommend ensuring that the these services are restricted by both the host firewall, and any perimeter firewalls that a utility might run.”
Related: Critical Flaw in GE Protection Relays Exposes Power Grid
Related: GE Machine Monitoring System Plagued by Serious Flaw