Executive Summary

Summary
Title GE Fanuc Proficy Information Portal transmits authentication credentials in plain text
Informations
Name VU#180876 First vendor Publication 2008-01-25
Vendor VU-CERT Last vendor Modification 2008-02-01
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Cvss Base Score 5 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#180876

GE Fanuc Proficy Information Portal transmits authentication credentials in plain text

Overview

GE Fanuc Proficy Information Portal can transmit authentication credentials in plain text. An attacker could monitor traffic, obtain valid credentials, and gain access to the portal.

I. Description

GE Fanuc Proficy Information Portal is a web-based systems reporting tool often used to consolidate and integrate online and process-based systems data between Supervisory Control And Data Acquisition (SCADA) systems and the corporate network. Authentication credentials for the portal may be sent in an insecure manner. During the login proceedure usernames are sent to the portal in plaintext and passwords are sent in Base64 encoded format. An attacker may be able to monitor network traffic and obtain credentaials to gain unauthorized access to the portal.

This vulnerability affects GE Fanuc Proficy Information Portal up to and including version 2.6.

II. Impact

An attacker who can intercept network traffic can obtain authentication credentials.

III. Solution

Use SSL

Proficy Portal version 2.5 and up supports the use of Secure Socket Layer (SSL) connections between the client and server. The SSL protocol is commonly used to provide authentication, encryption, integrity, and non-repudiation services via public/private keys and certificates. Proficy customers should refer to GE Fanuc knowledge base article KB12459 for more information and configuration instructions.

Enable Integrated Windows Authentication

It is possible to configure the portal to use domain authentication so that user credentials are not longer sent in plaintext. According to GE Fanuc:

    If domain security is being utilized, the easiest and perhaps most secure method of transmitting username and password information is to enable Windows Authentication within IIS. In this mode, IE and IIS will negotiate the security mechanism's to use and automatically authenticate the user logged into the machine running IE from the IIS server. No password is ever passed between the two computers and therefore cannot be intercepted.
Proficy customers should refer to GE Fanuc knowledge base article KB12459 and the Microsoft documents in the References section below for more information.

Restrict Access

Restrict network access to hosts that require connections to the portal. Do not allow access to the portal from untrusted networks such as the internet.

Systems Affected

VendorStatusDate Updated
GE FanucVulnerable24-Jan-2008

References


http://www.securityfocus.com/archive/1/487075/30/0/threaded
http://support.gefanuc.com/support/index?page=kbchannel&id=KB12459
http://support.microsoft.com/kb/324274
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/36ea667e-c578-43b5-87fa-a2f174efb27a.mspx
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/iis/523ae943-5e6a-4200-9103-9808baa00157.mspx
http://www.gefanuc.com/as_en/gefanuc/resource_center/hmi_scada/hmiscada_security.html
http://java.sun.com/j2se/1.5.0/docs/guide/rmi/socketfactory/SSLInfo.html
http://java.sun.com/j2se/1.5.0/docs/guide/rmi/socketfactory/index.html

Credit

This vulnerability was reported by Eyal Udassin of C4 Security.

This document was written by Chris Taschner.

Other Information

Date Public01/24/2008
Date First Published01/25/2008 03:26:36 PM
Date Last Updated02/01/2008
CERT Advisory 
CVE NameCVE-2008-0174
US-CERT Technical Alerts 
Metric0.17
Document Revision46

Original Source

Url : http://www.kb.cert.org/vuls/id/180876

CAPEC : Common Attack Pattern Enumeration & Classification

Id Name
CAPEC-31 Accessing/Intercepting/Modifying HTTP Cookies
CAPEC-37 Lifting Data Embedded in Client Distributions
CAPEC-65 Passively Sniff and Capture Application Code Bound for Authorized Client
CAPEC-117 Data Interception Attacks
CAPEC-155 Screen Temporary Files for Sensitive Information
CAPEC-157 Sniffing Attacks
CAPEC-167 Lifting Sensitive Data from the Client
CAPEC-204 Lifting cached, sensitive data embedded in client distributions (thick or thin)
CAPEC-205 Lifting credential(s)/key material embedded in client distributions (thick or...
CAPEC-258 Passively Sniffing and Capturing Application Code Bound for an Authorized Cli...
CAPEC-259 Passively Sniffing and Capturing Application Code Bound for an Authorized Cli...
CAPEC-260 Passively Sniffing and Capturing Application Code Bound for an Authorized Cli...

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-312 Cleartext Storage of Sensitive Information

Open Source Vulnerability Database (OSVDB)

Id Description
43227 Proficy Real-Time Information Portal Base64-Encoded Password Disclosure