Scribd Logo
Upload

Welcome to Scribd!

  • Information Bulletin: GE Power Proficy HMI/SCADA - CIMPLICITY Security Advisory PSIB 20161019A Product Service

    Uploaded by

    Léandre Ettekri Ndri
    21 views2 pages

    Original Title

    PSIB 20161019A

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    21 views2 pages

    Information Bulletin: GE Power Proficy HMI/SCADA - CIMPLICITY Security Advisory PSIB 20161019A Product Service

    Uploaded by

    Léandre Ettekri Ndri

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    GE Power Product Service

    Proficy HMI/SCADA - CIMPLICITY Security


    Advisory
    Information
    PSIB 20161019A Bulletin
    Overview
    GE Power has been made aware of a vulnerability in the Cimplicity 8.2 product as disclosed by GE Digital. Cimplicity is a
    client/server based human machine interface/supervisory control and data acquisition (HMI/SCADA) application used in
    GE HMIs.

    Zhou Yu of Acorn Network Security identified an improper privilege management vulnerability and recently released
    exploit code for the GE Proficy HMI/SCADA CIMPLICITY application without coordination with ICS-CERT, the vendor, or any
    other coordinating entity known to ICS-CERT. GE produced a new version to mitigate this vulnerability in August 2014.

    Application
    CIMPLICITY Version 8.2, SIM 26 or earlier.

    Background
    Successful exploitation of the vulnerability may allow an authenticated user on the system to modify the configuration of
    the CIMPLICITY service and launch any executable on the system as a service.

    Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT
    recommends that organizations evaluate the impact of this vulnerability based on their operational environment,
    architecture, and product implementation.

    Vulnerable versions may allow users to modify the CIMPLICITY service to edit the configuration of a service. CVE-2016-
    5787 has been assigned to this vulnerability.

    This vulnerability is not exploitable remotely and cannot be exploited without user interaction. The exploit is only triggered
    when a local user runs the vulnerable application and loads a malicious file. Exploits that target this vulnerability are
    publicly available.

    An attacker with a low skill would be able to exploit this vulnerability. Social engineering is required to convince the user
    to accept a malicious file. Additional user interaction is needed to load the malformed file. This decreases the likelihood
    of a successful exploit.

    Advisory
    Fixes for this were released in CIMPLICITY 8.2 SIM 27. CIMPLICITY 9.0 AND 9.5 do not contain this vulnerability.

    Please download and install CIMPLICITY 8.2 SIM 27 from the following link to resolve the vulnerability :

    https://ge-ip.force.com/communities/en_US/Download/CIMPLICITY-8-2-SIM-27-DN

    Proficy SIMs are cumulative. All future SIMs will include these updates. The latest SIMs are available for download
    at http://support.ge-ip.com, however SIM 27 is the latest approved for GE Power customer's use at this time.

    Copyright © 2016 General Electric Company. This information is proprietary and is the property of GE Power. The content of this document is provided
    for general information and awareness. Always refer to your unit’s O&M Manuals and applicable TILs for detailed information relevant to the operation
    and maintenance of your equipment. This document shall not be reproduced in whole or in part nor shall its contents be disclosed to any third party
    without the written approval of GE Power Services Engineering
    PSIB 20161019A
    Proficy HMI/SCADA – CIMPLICITY customers unable to upgrade to version 8.2 SIM 27 or later are encouraged to consider
    a workaround by using the following commands from a command prompt:

    sc sdset CIMPLICITY
    D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWRPWPDTLOCRRC;;;SU)(A;;CCL
    CSWRPWP;;;BU)

    sc sdset WEBVIEW
    D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWRPWPDTLOCRRC;;;SU)

    sc sdset “EGD Service”

    D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)

    sc sdset CimProxy

    D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)

    Please contact your local GE representative for additional information or assistance.

    Copyright © 2016 General Electric Company. This information is proprietary and is the property of GE Power. The content of this document is provided
    for general information and awareness. Always refer to your unit’s O&M Manuals and applicable TILs for detailed information relevant to the operation
    and maintenance of your equipment. This document shall not be reproduced in whole or in part nor shall its contents be disclosed to any third party
    without the written approval of GE Power Services Engineering
    2 of 2

    You might also like