News
Vendors
Vulnerabilities

Applied Risk analyses vulnerabilities found in GE iFIX HMI/SCADA equipment

February 11, 2021
GE iFIX

Industrial cybersecurity company Applied Risk analyzed on Tuesday security vulnerabilities that were detected in GE Digital’s iFIX HMI/SCADA equipment. The loopholes would allow an authenticated, but unprivileged user, to modify the system-wide iFIX configuration potentially leading to the arbitrary execution of attacker code. Used for industrial process visualization, monitoring and control, GE’s iFIX is a Human Machine Interface (HMI) product.

The execution would occur under the privileges of the user running the iFIX equipment, such as other users on the system, and therefore, could be used for privilege escalation, Applied Risk said in a post.

GE has confirmed that iFIX equipment up to and including version 6.1 are affected. The Cybersecurity and Infrastructure Security Agency (CISA) reported that iFIX’s vulnerabilities allows a local authenticated user to modify system-wide iFIX configurations through the registry, which may allow privilege escalation. It also found that the equipment allows a local authenticated user to modify system-wide iFIX configurations through section objects, which again may allow privilege escalation.

GE iFIX William Knowles, Senior Security Consultant

William Knowles, Senior Security Consultant, Applied Risk

William Knowles of Applied Risk reported these vulnerabilities to CISA, along with Sharon Brizinov of Claroty who reported the vulnerabilities separately to GE.

Knowles, a security researcher, documents how the section object vulnerability facing iFIX was discovered, and how it could be abused for privilege escalation using GE’s iFIX 5.8 (build 8255).

The Windows controls access to these section objects is through Access Control Lists (ACLs) that operate independently of other Windows security mechanisms, according to Knowles. It would be possible, for example, for a medium integrity process to open a handle to a section object initially created and used by a high integrity process, as long as the process’ user context meets the criteria defined by the ACL.

If insecure permissions are configured on these section objects, however, an attacker could potentially abuse them to corrupt the memory of other processes, and potentially achieve privilege escalation, Knowles said.

The insecure section object permissions were identified using Microsoft’s tool, accesschk. The section objects with weak permissions that were used by iFIX processes, and in some instances a number of other section objects with weak permissions that followed the same naming convention were identified with different integer values, Knowles noted.

The privilege escalation example in this disclosure takes advantage of the section object that is named “ENV_MEM”.

The ACL was set to NULL, and had no entries configured within it. By default on a Windows system this means that it is accessible by any user, Knowles said. Due to this ACL configuration a user of any privilege would be able to open a handle to the section object, read its contents, and write to them.

The “ENV_MEM” section object was inspected and found to be the memory location used to store application-specific environment variables.

For the demonstration, the NLSPATH variable is chosen. A program was written to open a handle to this section object and replace the contents of the NLSPATH variable with the malicious path “c:\temp”, which is an example of a location writable by a low privileged user, Knowles said.

The intent of this modification is that the environment variables are used by iFIX to determine the locations from which to load DLL files. Therefore, if an attacker can control these locations, they can control DLLs loaded into high privileged processes. C++ code is provided for this modification, he added.

Using a compiled version of the code, it can now be executed. This successfully changes the environment variable value. It also shows the contents of the “c:\temp” directory, where a malicious DLL spawns Microsoft’s calculator, Knowles said.

When the system configuration utility is next executed it searches the NLSPATH location for this DLL before loading it into its process, he added. This maliciously spawned process would then run under the context of the user that ran the System Configuration utility, which would be a high privileged process as that is what is required by the binary, and therefore, privilege escalation is successful.

GE Digital recommends users immediately upgrade all instances of the affected software to GE Digital’s iFIX product v6.5, the CISA advisory said.

Knowles says that a restrictive ACL should be explicitly set on all section objects. An ACL should never be NULL as this permits any local user access to the object that it protects. The configured ACL should restrict the section object to only the required users such as high privileged users or groups running the iFIX processes to help prevent the system-wide configuration from being edited by low privileged users.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
Radiflow helps customers achieve NIS2 compliance, spurring growth in Europe
Radiflow, Exclusive Networks partner to elevate OT cybersecurity
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape