Industrial cybersecurity company Applied Risk analyzed on Tuesday security vulnerabilities that were detected in GE Digital’s iFIX HMI/SCADA equipment. The loopholes would allow an authenticated, but unprivileged user, to modify the system-wide iFIX configuration potentially leading to the arbitrary execution of attacker code. Used for industrial process visualization, monitoring and control, GE’s iFIX is a Human Machine Interface (HMI) product.
The execution would occur under the privileges of the user running the iFIX equipment, such as other users on the system, and therefore, could be used for privilege escalation, Applied Risk said in a post.
GE has confirmed that iFIX equipment up to and including version 6.1 are affected. The Cybersecurity and Infrastructure Security Agency (CISA) reported that iFIX’s vulnerabilities allows a local authenticated user to modify system-wide iFIX configurations through the registry, which may allow privilege escalation. It also found that the equipment allows a local authenticated user to modify system-wide iFIX configurations through section objects, which again may allow privilege escalation.
William Knowles of Applied Risk reported these vulnerabilities to CISA, along with Sharon Brizinov of Claroty who reported the vulnerabilities separately to GE.
Knowles, a security researcher, documents how the section object vulnerability facing iFIX was discovered, and how it could be abused for privilege escalation using GE’s iFIX 5.8 (build 8255).
The Windows controls access to these section objects is through Access Control Lists (ACLs) that operate independently of other Windows security mechanisms, according to Knowles. It would be possible, for example, for a medium integrity process to open a handle to a section object initially created and used by a high integrity process, as long as the process’ user context meets the criteria defined by the ACL.
If insecure permissions are configured on these section objects, however, an attacker could potentially abuse them to corrupt the memory of other processes, and potentially achieve privilege escalation, Knowles said.
The insecure section object permissions were identified using Microsoft’s tool, accesschk. The section objects with weak permissions that were used by iFIX processes, and in some instances a number of other section objects with weak permissions that followed the same naming convention were identified with different integer values, Knowles noted.
The privilege escalation example in this disclosure takes advantage of the section object that is named “ENV_MEM”.
The ACL was set to NULL, and had no entries configured within it. By default on a Windows system this means that it is accessible by any user, Knowles said. Due to this ACL configuration a user of any privilege would be able to open a handle to the section object, read its contents, and write to them.
The “ENV_MEM” section object was inspected and found to be the memory location used to store application-specific environment variables.
For the demonstration, the NLSPATH variable is chosen. A program was written to open a handle to this section object and replace the contents of the NLSPATH variable with the malicious path “c:\temp”, which is an example of a location writable by a low privileged user, Knowles said.
The intent of this modification is that the environment variables are used by iFIX to determine the locations from which to load DLL files. Therefore, if an attacker can control these locations, they can control DLLs loaded into high privileged processes. C++ code is provided for this modification, he added.
Using a compiled version of the code, it can now be executed. This successfully changes the environment variable value. It also shows the contents of the “c:\temp” directory, where a malicious DLL spawns Microsoft’s calculator, Knowles said.
When the system configuration utility is next executed it searches the NLSPATH location for this DLL before loading it into its process, he added. This maliciously spawned process would then run under the context of the user that ran the System Configuration utility, which would be a high privileged process as that is what is required by the binary, and therefore, privilege escalation is successful.
GE Digital recommends users immediately upgrade all instances of the affected software to GE Digital’s iFIX product v6.5, the CISA advisory said.
Knowles says that a restrictive ACL should be explicitly set on all section objects. An ACL should never be NULL as this permits any local user access to the object that it protects. The configured ACL should restrict the section object to only the required users such as high privileged users or groups running the iFIX processes to help prevent the system-wide configuration from being edited by low privileged users.