ICS Advisory

GE Proficy Historian ihDataArchiver

Last Revised
Alert Code
ICSA-12-032-01

Overview

ICS-CERT originally released Advisory ICSA-12-032-01P on the US-CERT secure portal on March 02, 2012. This web page release was delayed to allow users time to download and install the update.

ICS-CERT received a report from GE Intelligent Platforms and the Zero Day Initiative (ZDI) concerning a memory corruption vulnerability in the GE Intelligent Platforms Proficy Historian Data Archiver. If exploited, this vulnerability could allow an attacker to cause the Historian Data Archiver service to crash, which may lead to arbitrary code execution. This vulnerability was reported to ZDI by independent security researcher Luigi Auriemma.

GE Intelligent Platforms has created a patch to address the issue.

Affected Products

This vulnerability affects the following GE Intelligent Platforms products:

  • Proficy Historian: Versions 4.5 and prior
  • Proficy HMI/SCADA–CIMPLICITY: Version 8.2 (with Proficy Historian 4.5 or prior installed)
  • Proficy HMI/SCADA–iFIX: Versions 5.5, 5.0, and 5.1 (with Proficy Historian 4.5 or prior installed).

Note: Proficy Pulse is not affected by the vulnerability described in this advisory.

Impact

Exploitation of this vulnerability could cause the Historian Data Archiver service to crash and potentially allow an attacker to take control of a system running the affected software. Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.

Background

Proficy Historian is a data historian that collects, archives, and distributes production information. According to GE, the Proficy Historian product is deployed across multiple industries worldwide.

Vulnerability Characterization

Vulnerability Overview

A memory corruption vulnerability exists because of the way the Historian Data Archiver service (ihDataArchiver.exe or ihDataArchiver_x64.exe) processes incoming traffic on Port 14000/TCP. A specially crafted packet may cause the Historian Data Archiver service to crash and may allow arbitrary code execution.

CVE-2012-0229 has been assigned to this vulnerability.

Vulnerability Details

Exploitability

This vulnerability is remotely exploitable.

Existence of Exploit

No known exploits specifically target this vulnerability.

Difficulty

An attacker with a moderate skill level would be able to exploit these vulnerabilities.

Mitigation

GE Intelligent Platforms has released a security advisory and free product update Software Improvement Modules (SIMs) to address this vulnerability in Proficy software. GE Intelligent Platforms urges all customers to follow the recommendations in their security advisory.

Note: A valid GE user ID and Customer Service Number are required to access the advisory and update.

GE Intelligent Platforms recommends that customers apply product updates to Proficy Historian Versions 3.1, 3.5, 4.0, and 4.5. Proficy Historian customers using versions older than 3.1 are encouraged to upgrade to 3.1 or greater and\ then apply the appropriate product update.

GE Intelligent Platforms also recommends that Proficy HMI/SCADA.iFIX and Proficy HMI/SCADA . CIMPLICITY customers who have installed Proficy Historian apply these product updates as well. Alternatively, Proficy HMI/SCADA customers m\ ay uninstall the Proficy Historian software if it is not in use.

Note: Proficy SIMs are cumulative. All future SIMs will include these updates.

GE has provided the following installation instructions for iFIX and CIMPLICITY SIMs.

Option 1: Apply a product update to the Proficy Historian software.

Refer to the information above for .Historian Installations. and apply the appropriate product update to Proficy Historian.

Option 2: Uninstall Proficy Historian if not in use.

  1. Double-click the Add/Remove Programs icon in the Control Panel. The Add/Remove Programs dialog box opens.
  2. Select Proficy Historian, and click the Remove button.
    1. To uninstall Historian and save the current Historian configuration and data, select Do Not Delete Archives and click Next.
    2. To uninstall Historian and delete the current Historian configuration and data, select Delete Archives, and click Next.
  3. The uninstall proceeds and all Historian components are removed.

In addition to installing the product updates available from GE, ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.

  • Minimize network exposure for all control system devices. Critical devices should not directly face the Internet.
  • Locate control system networks and remote devices behind firewalls with properly configured rules addressing Port 14000/TCP, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.

The Control Systems Security Program (CSSP) also provides a section for control systems security recommended practices on the CSSP web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations to \ perform proper impact analysis and risk assessment prior to taking defensive measures.

In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:

  1. Do not click web links or open unsolicited attachments in e-mail messages.
  2. Refer to Recognizing and Avoiding Email Scams for more information on avoiding e-mail scams.
  3. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

This product is provided subject to this Notification and this Privacy & Use policy.

Vendor

GE