GE Fanuc Proficy Arbitrary File Upload And Execution
From SCADApedia
Contents |
Vulnerability
GE Fanuc Proficy Information Portal allows an authenticated user to upload arbitrary files. An attacker could upload a server-side script and execute commands with the privileges of the web server. The vulnerability exists as a product feature that allows users perform an "Add WebSource" command.
Eyal Udassin, co-founder of C4 Security, discovered this vulnerability.
Affected Systems
This vulnerability affects all versions of GE Fanuc Proficy Information portal up to and including 2.6.
Impact
A remote, authenticated user could upload executable code to the web server. Once an attacker is able to control the Proficy server, the attacker can use the machine as a launch pad to gain access to the SCADA network.
Reporting systems are typically accessible from the corporate network as well as the SCADA network. Since corporate networks are accessible from the Internet, an attacker could penetrate the corporate network and use the Proficy Information Portal to access the SCADA network. The attacker would need to authenticate with the server. Proper credentials could be obtained by using a key logger or a sniffer if the Proficy Information Portal is affected by the GE Fanuc Proficy Plaintext Password Vulnerability
Detection
Connect to the Proficy Information Portal and find the "Add WebSource" feature. Upload a file to the server and attempt to access the file. If the file can be accessed, the system is vulnerable.
Remediation
Upgrade the Proficy Information Portal to 2.6. GE Fanuc will address this vulnerability in a Software Improvement Module (SIM) for Proficy 2.6. Please see the knowledge base article listed below for information about the SIM.
Network and user access should be restricted to the Proficy server. Changing file permissions in the server directory may help mitigate the vulnerability. This has not been tested and may have an adverse affect on the portal.
External Links
US-CERT Vulnerability Note 339345
