GE Fanuc Cimplicity Heap Buffer Overflow
From SCADApedia
Contents |
Vulnerability
The GE Fanuc Cimplicity HMI contains a remote heap overflow that allows arbitrary code to be executed by a remote attacker.
The vulnerability is located in the w32rtr.exe application that is launched by the cimplicity.exe application. The w32rtr.exe application is located on the Cimplicity server and client application. If the w32rtr.exe is simply crashed, the web server, viewer and Cimplicity server must be restarted in order to return to normal operations. An attacker could also craft an exploit for the w32rtr.exe application that would allow the attacker to remotely execute code.
Eyal Udassin, co-founder of C4 Security, discovered this vulnerability.
Affected Systems
This vulnerability affects GE Fanuc Cimplicity all versions up to and including 7.0.
Impact
An unauthenticated, remote attacker could crash or remotely execute code on the Cimplicity HMI server or client systems. An attacker could either perform a denial of service attack on the HMI server and clients or compromise the SCADA network.
This exploit can be run from an unmanned, remote station. While there is usually some physical security at these sites, a determined attacker will be able to bypass the security and gain access to the station. An attacker at in a remote station is a problem, but generally the damage that could be cause by the attacker is limited to the particular site. The Cimplicity HMI heap overflow exploit could allow an attacker at a remote station to execute code on the HMI and disrupt the entire SCADA network.
Detection
Until authorization is given to release the full details of the exploit the only way to check for this vulnerability is to check the version number of your Cimplicity HMI server and client.
Remediation
GE Fanuc has addressed the vulnerability in Cimplicity 6.1 SP1 Hot Fix 010708_162517_6106 and in Cimplicity 7.0 SIM 9. If the version of Cimplicity is older than 6.1, consult the vendor regarding an upgrade. Information about the patch can be found on the GE Fanuc knowledge base article listed below.
Restrict network access to the server.
External Links
US-CERT Vulnerability Note 308556
