10 - VU#310355

Executive Summary

Summary
Title	GE Fanuc Proficy HMI/SCADA iFIX uses insecure authentication techniques

Informations
Name	VU#310355	First vendor Publication	2009-02-11
Vendor	VU-CERT	Last vendor Modification	2009-02-24
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score	10	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#310355

GE Fanuc Proficy HMI/SCADA iFIX uses insecure authentication techniques

Overview

Vulnerabilities in the way GE Fanuc iFIX handles authentication could allow a remote attacker to log on to the system with elevated privileges.

I. Description

GE Fanuc iFIX is SCADA client/server software that includes a Human Machine Interface (HMI) componant and runs on Microsoft Windows CE, NT, 2000, Server 2003, XP, or Vista. Authentication to iFIX is handled insecurely. Usernames and passwords are stored on the client in a local file. The passwords are obfuscated in this file using a weak encryption algorithm. According to GE Fanuc:

Attackers can gain copies of this file in two ways. The first way requires that an attacker have an interactive session with the computer containing the file, such as a direct login, or through a remote terminal session, VNC, or some other remote session providing access to a command shell. Using the shell, the attacker can simply copy the file and extract the passwords at some later point. Another way an attacker can gain access to this file is by intercepting the file over the network. This can occur if the file is shared between two computers using Microsoft Windows® network sharing. In this case, an attacker may be able to recreate the file by using a network sniffer to monitor network traffic between them.

Since iFIX performs authentication in the client, an attacker can modify or replace authentication code. According to GE Fanuc:

Authentication and authorization of users are implemented through certain program modules. These modules can be modified at the binary level to bypass user authentication. To exploit this type of attack, an attacker needs to be able to launch unauthorized applications from an interactive shell.

Furthermore, iFIX may also be susceptible to the Microsoft Windows AutoRun issue discussed in TA09-020A. Arbitrary code executed via AutoRun can bypass iFIX environment protection and interact directly with Windows, which could result in modification or replacement of the authentication modules.

Note that this issue affects versions of GE Fanuc iFIX up to and including version 5.0.

II. Impact

An attacker who can access the credentials file or intercept network traffic can obtain authentication credntials and gain unauthorized access to iFIX systems.

III. Solution

Until a more complete solution is available, consider the workarounds below.

Apply Workarounds

GE Fanuc has released a vendor statement detailing mitigation stratigies for this issue. These include:

Isolate the iFIX HMI/SCADA network from the corporate network
Do not share the iFIX Local directory
Configure iFIX nodes as View only
Enabled Environment protection
Disable AutoRun

Systems Affected

Vendor	Status	Date Notified	Date Updated
GE Fanuc	Vulnerable		2009-02-11

References

http://support.gefanuc.com/support/index?page=kbchannel&id=S:KB13253&actp=search
http://www.us-cert.gov/cas/techalerts/TA09-020A.html
http://www.mcgrewsecurity.com/2009/02/10/ge-fanuc-releases-info-on-ifix-vulnerabilities-vu-310355/

Credit

This issue was reported by Rayford Vaughn and Robert Wesley McGrew at Mississippi State University.

This document was written by Chris Taschner.

Other Information

Date Public:	2009-02-11
Date First Published:	2009-02-11
Date Last Updated:	2009-02-24
CERT Advisory:
CVE-ID(s):	CVE-2009-0216
NVD-ID(s):	CVE-2009-0216
US-CERT Technical Alerts:
Metric:	1.62
Document Revision:	19

Original Source

Url : http://www.kb.cert.org/vuls/id/310355

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-255	Credentials Management

CPE : Common Platform Enumeration

Type	Description	Count
Application	Ge Fanuc Ifix cpe:2.3:a:ge_fanuc:ifix:4.5:::::::* cpe:2.3:a:ge_fanuc:ifix:4.0:::::::* cpe:2.3:a:ge_fanuc:ifix:3.5:::::::* cpe:2.3:a:ge_fanuc:ifix:3.0:::::::* cpe:2.3:a:ge_fanuc:ifix:2.6:::::::* cpe:2.3:a:ge_fanuc:ifix:2.5:::::::* cpe:2.3:a:ge_fanuc:ifix:2.21:::::::* cpe:2.3:a:ge_fanuc:ifix:2.2:::::::* cpe:2.3:a:ge_fanuc:ifix:2.0:::::::*	9

Open Source Vulnerability Database (OSVDB)

Id	Description
54274	GE Fanuc Proficy HMI/SCADA iFIX External Media Autorun Environment Protection...
54273	GE Fanuc Proficy HMI/SCADA iFIX Crafted Software Module Authentication Bypass
54272	GE Fanuc Proficy HMI/SCADA iFIX Obfuscated Authentication Credential Weakness

Alert History

If you want to see full details history, please login or register.

Date	Informations
2013-05-11 00:57:00	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	1
CPE ID(s)	9
osvdb(s)	3

	Related
10	CVE-2009-0216
7.2	TA09-020A
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 2 more Alert(s)