Claroty’s Team82 details five exploitable vulnerabilities in GE Proficy Historian used in critical infrastructure sectors

Researchers at industrial cybersecurity firm Claroty disclosed Tuesday that its Team82 arm uncovered five exploitable vulnerabilities in GE Digital’s Proficy Historian server affecting multiple critical infrastructure sectors. The security loopholes can be used by threat actors to access the historian, crash the device, or remotely execute code. Affecting GE Proficy Historian v7.0 and higher versions, one of the five vulnerabilities has a CVSS v3 score of 9.8 and the four others have a CVSS v3 score of 7.5. 

The presence of these vulnerabilities is particularly concerning to the ICS and operational technology (OT) environments, as these historian servers share process information with enterprise systems, thereby creating an attractive pivot point for attackers to move from the IT network to OT systems.

Team82 privately reported five vulnerabilities in GE Proficy Historian which have a cumulative CVSS v3 severity score of 9.8. The flaws can enable an attacker to access a GE Proficy Historian server, modify files, disrupt processes, and crash machines. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an industrial control system (ICS) advisory that identified the vulnerabilities as authentication bypass using an alternate path or channel, unrestricted upload of file(s) with dangerous type, improper access control, and weak encoding for password. 

Uri Katz of Claroty Research reported these vulnerabilities to GE. The disclosure led to GE Digital releasing GE Proficy Historian 2023 which mitigates issues and SIMs have been provided for all affected versions. Furthermore, organizations are urged to ensure their systems are up to date.

Katz wrote in a company blog post that the researchers studied the GE Proficy Historian application to better understand its attack surface. “Our goal was to take full control of the historian server in order to modify history records in an imaginary pharmaceutical factory. Our first step was to install the server and understand its inner workings, then reverse-engineer its governing protocols, and understand how its authentication mechanism works. We then hunted for vulnerabilities and wrote our client in order to exploit them remotely and execute unauthorized code on the server. Finally, once we had a reverse shell on the server, we were able to modify the records,” he added.

The GE Proficy Historian uses the MSO protocol as its main communication protocol for most of its actions, including authentication, control, and data acquisition, according to Katz. “The Proficy Historian has a few services that communicate using this protocol, all of which bind to all interfaces (0.0.0.0) and listen on various TCP ports between 13000-14000. Every MSO message starts with a message header, then a body header, and ends with the body content.” 

Katz added that Team82’s research on the protocol structure “allowed us to build a fully functional MSO client. The request body also starts with a header followed by the message body. The request body is an array of ‘HRProp’ structures containing a specific property type to its value.”

The protocol has around 170 command types that perform a wide range of actions. Since most of the functions require authentication, Team82’s research goals were to find an authentication bypass that will allow us to run any one of the 170 commands on the historian server, go through the commands and search for primitives that can lead to remote code execution. 

“In our research, we found a way to bypass this authentication procedure. This allows remote attackers the ability to log in to any GE Proficy Historian server and force it to perform unauthorized actions,” Katz said. Furthermore, “we found that among the various commands defined in the protocol, some of them have improper access control mechanisms that allow remote clients to perform dangerous actions such as reading and writing arbitrary files, deleting arbitrary files and even executing code remotely when chained together.”

GE Proficy Historian runs different services, each responsible for part of the historian logic. These services can be run locally (on the same machine as the main historian service), or remotely (on another machine). 

Katz said that this was interesting to the researchers because the services use the MSO protocol the same way a regular remote user does, but without any apparent authentication. “After decoding a login message sent by one of the services, we discovered that the difference between a regular login and the login which a service performs is in one of the HRProps: the HRPropServiceType. We tried sending our own message setting the service type to one of the services and were able to log in. When setting the service type to one of the services, the historian server does not check the authentication and therefore executes the requested command regardless of authentication status,” he added.

He added that an attacker can take advantage of this fact and bypass the historian authentication by impersonating a local service. This means that by using a remote MSO client and changing the HRPropServiceType to one of the local services, the attacker can bypass the authentication procedure and execute MSO commands remotely even if the authentication flow fails. Thus, any user can remotely execute MSO API commands on the Historian server without the need to authenticate with the correct credentials.

Historian services use the MSO protocol to read, write, and manage historian data. Team82 found that some protocol commands, below, could also be used for malicious control. The purpose of these commands is to allow a service to perform actions, but without validating the scope of the commands. Without a proper access control (authorization) mechanism, they can be abused. Since the historian service is running as a SYSTEM user, all the actions are executed with the highest privileges.

“Read/delete/write operations combined with the authentication bypass essentially give unauthenticated attackers full file read/write/delete privileges,” Katz wrote. “Attackers can use these primitives to delete and replace one of the dynamic link libraries (DLL) the historian uses to get full remote code execution.”

Chaining the vulnerabilities, Team82 can execute arbitrary code on a remote GE Proficy Historian server with SYSTEM privileges. Furthermore, they were able to build a fully functional shell command line interface (CLI) that supports several commands including bypassing authentication, uploading an arbitrary file, reading an arbitrary file, deleting an arbitrary file, and executing code remotely. 

To execute code remotely, including bypassing authentication, Team82 chained some of the reported vulnerabilities together. The complete flow to execute code includes bypass authentication with one of the methods available, using the DeleteTempFile command to delete ihOAuth2[dot]dll from the Historian installation directory located under its program files, then using the FileAppendNextChunk command to write a malicious DLL with its own code. Once that is done, it can be uploaded to the Historian installation directory with the name ihOAuth2[dot]dll, send a new Login message to trigger the loading of the malicious dll, and the code will get executed.

In December, Team82 researchers announced the development of a generic bypass of web application firewalls (WAF). Attackers using this technique would be able to bypass the WAF’s protection and use additional vulnerabilities to exfiltrate data. The bypass was found to work against WAFs sold by five vendors, including Palo Alto Networks, Amazon Web Services, Cloudflare, F5, and Imperva. All five vendors have been notified and have updated their products to support JSON syntax in their SQL injection inspection process.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.