GE Fanuc Proficy Plaintext Password Vulnerability
From SCADApedia
Contents |
Vulnerability
The GE Fanuc Proficy Information Portal can transmit authentication credentials in plaintext.
Eyal Udassin, co-founder of C4 Security, discovered this vulnerability.
Affected Systems
The vulnerability affects the GE Fanuc Proficy Information Portal versions up to and including 2.6.
Impact
Anyone eavesdropping on the corporate network can gather usernames and passwords to the Proficy server. The Proficy server can be integrated with an Active Directory server on the network. If the Proficy server is setup to use Active Directory for authentication, an eavesdropper may discover usernames and passwords to the corporate network and the SCADA network.
Reporting systems are typically accessible from the corporate network as well as the SCADA network. Since corporate networks are accessible from the Internet, an attacker could penetrate the corporate network and gather usernames and password for the Proficy Information Portal and possibly the corporate network. Once the attacker gathers the usernames and passwords, he could gain access to the SCADA network using other vulnerabilities in Proficy.
Detection
Using a packet sniffer, such as Wireshark, to record the login packet is the best way to test for this vulnerability. After the login packet has been recorded, examine the type of packet and the contents of the packet. If the packet is using the HTTP protocol, the username should be visible in plaintext and the next field is a Base64 representation of the password. The contents of the packet should appear as a random set of characters if the packet is using the HTTPS protocol.
Remediation
Proficy 2.5 and newer can be configured to use SSL. Follow the instructions described in the GE Fanuc knowledge base article listed below.
If your version of Proficy is older than 2.5 please consult your vendor for an upgrade or consider using an alternate form of encryption ( IPSec, VPN over SSL, etc.)
External Links
US-CERT Vulnerability Note 180876
