The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
GE Fanuc Proficy Information Portal Vulnerabilities
------------------------------------------------------------------------
SUMMARY
GE-Fanuc's Proficy Information Portal 2.6 is "a web based reporting
application for the SCADA environment. As such it will usually be
installed in a buffer zone between the SCADA and the corporate network,
which makes it a very sensitive application as it can reach both
networks". Two security vulnerability have been discovered in GE's Fanuc
Proficy Information portal which would allow remote attackers unauthorized
access to the system as well as the ability to execute arbitrary code by
leveraging a security issue in the product.
DETAILS
Vulnerable Systems:
* GE-Fanuc's Proficy Information Portal version 2.6
Immune Systems:
*
Authentication Vulnerability
The login process of Proficy involves sending the username in cleartext
and the password in Base64 encoded format. This transmition can
potentially be intercepted and decoded by an attacker with access to the
data traffic.
Impact
An attacker can harvest user credentials by intercepting the traffic
between the browser and the Proficy server.
Workaround/Fix
The vendor issued a KB article on how to resolve this vulnerability at the
GE-Fanuc website.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0174>
CVE-2008-0174
Arbitrary File Upload and Execution
Any authenticated user can use the "Add WebSource" option to upload any
file (including asp) to the server, to the main virtual directory where it
can be launched by simply requesting it with a web browser. This
vulnerability exists due to a faulty Java RMI call which is associated
with the "Add WebSource" which allows the user to set the name and path of
where the file should be placed, and another parameter is a base64 encoded
content for the file itself.
Impact
An authenticated attacker can compromise the server running Proficy
Information Portal, enabling him to progress to the control/process
network.
Workaround/Fix
Vendor fix will be available by Feb 15th. A possible workaround is to
remove the write permission of the IIS user from the Proficy directory.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0175>
CVE-2008-0175
ADDITIONAL INFORMATION
The information has been provided by
<mailto:eyal.udassin@c4-security.com> Eyal Udassin.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
