CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
84.8%
Vulnerabilities in the way GE Fanuc iFIX handles authentication could allow a remote attacker to log on to the system with elevated privileges.
GE Fanuc iFIX is SCADA client/server software that includes a Human Machine Interface (HMI) componant and runs on Microsoft Windows CE, NT, 2000, Server 2003, XP, or Vista. Authentication to iFIX is handled insecurely. Usernames and passwords are stored on the client in a local file. The passwords are obfuscated in this file using a weak encryption algorithm. According to GE Fanuc:
Attackers can gain copies of this file in two ways. The first way requires that an attacker have an interactive session with the computer containing the file, such as a direct login, or through a remote terminal session, VNC, or some other remote session providing access to a command shell. Using the shell, the attacker can simply copy the file and extract the passwords at some later point. Another way an attacker can gain access to this file is by intercepting the file over the network. This can occur if the file is shared between two computers using Microsoft Windowsยฎ network sharing. In this case, an attacker may be able to recreate the file by using a network sniffer to monitor network traffic between them.
Since iFIX performs authentication in the client, an attacker can modify or replace authentication code. According to GE Fanuc:
Authentication and authorization of users are implemented through certain program modules. These modules can be modified at the binary level to bypass user authentication. To exploit this type of attack, an attacker needs to be able to launch unauthorized applications from an interactive shell.
Furthermore, iFIX may also be susceptible to the Microsoft Windows AutoRun issue discussed in TA09-020A. Arbitrary code executed via AutoRun can bypass iFIX environment protection and interact directly with Windows, which could result in modification or replacement of the authentication modules.
Note that this issue affects versions of GE Fanuc iFIX up to and including version 5.0.
An attacker who can access the credentials file or intercept network traffic can obtain authentication credntials and gain unauthorized access to iFIX systems.
Until a more complete solution is available, consider the workarounds below.
Apply Workarounds
GE Fanuc has released a vendor statement detailing mitigation stratigies for this issue. These include:
* Isolate the iFIX HMI/SCADA network from the corporate network
* Do not share the iFIX Local directory
* Configure iFIX nodes as View only
* Enabled Environment protection
* Disable AutoRun
310355
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: February 11, 2009
Affected
See the GE Fanuc vendor statement at http://support.gefanuc.com/support/index?page=kbchannel&id=S:KB13253&actp=search.
The vendor has not provided us with any further information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 0 | AV:โ/AC:โ/Au:โ/C:โ/I:โ/A:โ |
Temporal | 0 | E:ND/RL:ND/RC:ND |
Environmental | 0 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
This issue was reported by Rayford Vaughn and Robert Wesley McGrew at Mississippi State University.
This document was written by Chris Taschner.
CVE IDs: | CVE-2009-0216 |
---|---|
Severity Metric: | 1.62 Date Public: |