Embed Size (px)
Citation preview
GE iFIX 6.1 Multiple Vulnerabilities Author: William Knowles
Release Date: 09 February, 2021
AR202101 Industrial Security Advisory
Copyright notice Copyright © 2021 by Applied Risk BV. All rights reserved.
Overview Two vulnerabilities were identified within GE iFIX, which would allow an attacker to elevate their
privileges. Both vulnerabilities arose through insecure permissions; in one case on registry keys and in the other on section objects (a method of sharing memory between Windows processes).
Affected products The following versions were affected:
• GE iFIX versions 6.1 and below.
Impact Both vulnerabilities would allow an authenticated, but unprivileged user, to modify the system-
wide iFIX configuration, which would lead to the arbitrary execution of attacker code. This execution would occur under the privileges of the user running iFIX, such as other users on the
system, and therefore, could be used for privilege escalation.
Background GE’s iFIX is a Human Machine Interface (HMI) product. It is used for industrial process visualization, monitoring, and control.
Vulnerability details Insecure Registry Key Permissions
Registry keys relating to the iFIX configuration could be modified by low privileged users. An
attacker could abuse this to have iFIX load an attacker controlled DLL.
Applied Risk has calculated a CVSSv3 score of 7.8 for this vulnerability. The CVSS vector
string is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Insecure Section Object Permissions
Section objects created by iFIX could be modified by low privileged users. An attacker could
abuse this to have iFIX load an attacker controlled DLL.
Applied Risk has calculated a CVSSv3 score of 7.8 for this vulnerability. The CVSS vector
string is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Mitigation GE recommends that iFIX is upgraded to version 6.5 to resolve this issue. Furthermore, GE
recommend that customers refer to its Secure Deployment Guide (SDG) for additional
hardening guidance:
https://digitalsupport.ge.com/en_US/Documentation/iFIX-Secure-Deployment-Guide
References Vendor website:
https://www.ge.com/
Product page:
https://www.ge.com/digital/applications/hmi-scada/ifix
Related references:
https://digitalsupport.ge.com/en_US/Documentation/iFIX-Secure-Deployment-Guide
Contact details
For any questions related to this report, please contact Applied Risk Research team at:
Email: [email protected]
PGP Public Key:
-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBF60 58BEAC7QCOrYGBb cxL6 uG8IViZUIbBhTZaMHgWVniCk6iKCQlkXMu IX12bVAoCfp1 XbIZAZaXo5GrlK2yGtgyd11lQKHYx0TxnX52eKkmsW/fRzgNg/M YXtNb7UDB6IqAPAASwdME5ljfvkhVRhuVbvp//W8dJlJntbXf1kNKzaRdNbj7js5 c9TdSplYepTUkoICPLXC5Ewdzt0keG65Wh5Ia5dApUOzeHOXy61mUUxp2gutg2tb KAr oT2s5Lg9Drte1YVvuVrCdx9qQVkG DS5 YA7NCK7R30okNFyQjv0njP1o52X VxODdQDN0N7fbi3PxY3jf2rR aFK8HDTlEWLwzxF4IsSUyBi8Ay lRgiqdrpJZUp qZp/PsF5IotGFlAkQ5uGRaXQiSIZimt41EqmERBF8kI5eGfr0 fxNz381fo 49tT nHbg83b3uO3b CMxbnETwCqz28gW7 T/luC sPrXEWf0xTkCxx6s/eKx8c5CeNU4 naW3K26BqxxnZx8ivnR4K26s49t22qN6ytVa97AKn4lWUhylZLpuPnyny8BxgdLq WisfHPkCMqAqd3aFFl7ojec5C6vo2itjQndu1t9WvxHBYPhdfCsFzaskwC785l8G 2ODFPtB/qqgRGHi7oasTWTMZqiBCDnHFHI0pBcE6V2vhsROOQ9a7fVslnwARAQAB tDZBcHBsaWVkIFJpc2sgUmVzZWFyY2ggVGVhbSA8cmVzZWFyY2hAYXBwbGllZC1y aXNrLmNvbT6JAlQEEwEIAD4WIQTjnAO548Ik5yBy0GjU5ufLpgaBRAUCXrT7nwIb AwUJB4YfgAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRDU5ufLpgaBRPGSD/sF KZX1ORVEAtDAf40O PACb4sx7PB 9gy JPxYzSIg1uux1icVyWLtNMxkOmlPWRGm fQJgl0Xu38p9 1QILX9qnzw4Av9GsjRjKIOVY9z8J/vhZUy15WkHa3 vMjNHOaW3 s9NAr HCBnHAxPDWSyRpdqKwvOrrAHN6PI5vZl/Y7YR3dMtZcjHNPEgrN0hBnzK1 p4w85XPCzp1MNSQZAetQ/qrosAuX236ZzO0MCvoIank0p2ecukWDFiyqk3tKA3Nj LjGK9K/Ek7Mfn693EsHg6I/K5lLwxXaUvhEFUBT0P0zvCiKH GKCi6atE 4S3QfN wVBXM2XXT0K8BMQBEizkjOhrHPtE/x8IKsao Qd/IqT8/hiPEoH7Sq5D3tDXK5wt GmYX2yDTBHImdJQXS4c5u1mYsfaiAFrAfK6MwjutRPdBjl1m4UQyFwyYISdNpTRn Hv2j9chhNS4 eMah0a0huZK/sjuQx6WUqGKVvcbpgT1RfioREXwr6MXclOZ3T z0 c2yisOrDeEMPC61Gqx9Es0SABiTT838mDVZ7ZxtxzvvITWaNVEfSlFYG6Dg3hv3j IFeKb2O7kGpH8Qx9wRTjE8ce1e4LWAfbV2AyfESUCfGTl3NAxYADwQ6C4c0bhcMK S8fZ bEo5TMnLnWeXz2Jy1IY 2h3nKSwBVjV lbAaLkCDQRetPufARAAy3F4JnkE T36/ntHR /7Eml1qZxKse9lnsecd7uUtMIauU1DDVbSqMTW738GmNwlzbLTTp5yU
0C7X4ChwubVupX8B5Lu3PcAX3u9I/nk77j Vi2 5zU4QWXaD1nq1Htzos866HHzl L79dRawp0bgYD8QVPDRD8nW4yXnYQ/TNeLlKV8GGHN5sSh4jdvWRe S1ShKD5JaK 8EAJm7zdG1RphckrpgGzYOAKIBh2hTirnPH2VPYZxxGjPh0q16DWkUWE0YG8RD9l 99PNvx9FuPZ8SSRKGlxbbzldtr6XrTKfORi1iKAip3scNiahF4AMcJYWjOVetRbN eJUwCmCWzwOnHyKGuFn3GTPgjS17wAk1ZTtRx4aaBjvy37sxTtmAzgcnfP27JEtN VQTBVKmIoICwXW2QnXLM/gsZzyeKd4mPUJHl2xmDc u2IklMycUNaFszahCszMXD eGFnEmdZBxQkg7Ftxsqa1 Yn2IV PUoZm6uKGdRKokx7c98xnYEDVEiLLa5zCfF pdYFrXw0XSppgNocT36V01f6e7KlNbTMfeFMBbjcWtX6dtckFtyhDWg871jLFEQX 3liZmAcyn6pKJYdSgsgcy2vtI4rvDOZlxPGYtJ/gG/mlAOW45AHDnAKIcUnebmM4 W146XUc1KS0MtZRiubjsQHuh sMQrjfaj2cAEQEAAYkCPAQYAQgAJhYhBOOcA7nj wiTnIHLQaNTm58umBoFEBQJetPufAhsMBQkHhh AAAoJENTm58umBoFE2oIP/2cC quMsxrnuVrBEBe Xn6c6LtX/QGhIIY 3n4mIav7mBFJgM/U 5Qzzr9Gq3G3u8nJI cobx6wjayll00UJJ5OMgBK8/WrJX6M6vxZDe4UOn5SUJ0XSxGcqmK0aVpLq3gtuT QHco RqixB4Sa4Q97xY0YY24boYY3Ff35tfmIbxzIWsUnhTodUxPaxGH9z1etZXb S/k9d9IfvDk4ef/uUS ICFsCAgrQJU82OZC/SN3RUnCPqu0Y3Ws6NP9qox9hdHl/ ID/ShqwBqpBQigOEQY/kiTZZoizQ9lD561ycr5e8X0CWLHdV7PKawt86PD2Kt70g PNKt65G9reYUArob1nk P4fSuPkZUAW2OUyTCaJsenNfsfyj5LH/Xt98CucB3VtX g1AZf8sIypymLeI08EppN 8XXO29MaaDAH/VH9KlM9XenYZToBNL03r2OuRx5 W M74IQ4IrzrfO523f quzPNZRwGYAtM8vz6AyMPAs4TJI2NBSLuMcsEWC63BogUdn eOb7JvoJRQddKhLcxEKO/mzoR2U/BcGlmT RoN0l4UUNvl8ED0uoKo1lId3hOq3A 1EPlVaptdeTqtm0r7c4Ppf22keOxd/2fZpJYAvdj2H 0s GDqWdErpZPT37QNvzU U9bSu1uC/ByQhMhi3b8KWx2c37Hq9DCDK8pyQxSQ =f5ps -----END PGP PUBLIC KEY BLOCK-----
