GE Fanuc Proficy Information Portal transmits authentication credentials in plain text

Overview

GE Fanuc Proficy Information Portal can transmit authentication credentials in plain text. An attacker could monitor traffic, obtain valid credentials, and gain access to the portal.

Description

GE Fanuc Proficy Information Portal is a web-based systems reporting tool often used to consolidate and integrate online and process-based systems data between Supervisory Control And Data Acquisition (SCADA) systems and the corporate network. Authentication credentials for the portal may be sent in an insecure manner. During the login proceedure usernames are sent to the portal in plaintext and passwords are sent in Base64 encoded format. An attacker may be able to monitor network traffic and obtain credentaials to gain unauthorized access to the portal.

This vulnerability affects GE Fanuc Proficy Information Portal up to and including version 2.6.

Exploit code for this vulnerability is publicly available.

---

Impact

An attacker who can intercept network traffic can obtain authentication credentials.

---

Solution

Use SSL

Proficy Portal version 2.5 and up supports the use of Secure Socket Layer (SSL) connections between the client and server. The SSL protocol is commonly used to provide authentication, encryption, integrity, and non-repudiation services via public/private keys and certificates. Proficy customers should refer to GE Fanuc knowledge base article KB12459 for more information and configuration instructions.

Enable Integrated Windows Authentication

It is possible to configure the portal to use domain authentication so that user credentials are not longer sent in plaintext. According to GE Fanuc:

If domain security is being utilized, the easiest and perhaps most secure method of transmitting username and password information is to enable Windows Authentication within IIS. In this mode, IE and IIS will negotiate the security mechanism’s to use and automatically authenticate the user logged into the machine running IE from the IIS server. No password is ever passed between the two computers and therefore cannot be intercepted.
Proficy customers should refer to GE Fanuc knowledge base article KB12459 and the Microsoft documents in the References section below for more information.

---

Restrict Access

Restrict network access to hosts that require connections to the portal. Do not allow access to the portal from untrusted networks such as the internet.

---

Vendor Information

180876

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

GE Fanuc __ Affected

Notified: December 20, 2007 Updated: January 24, 2008

Status

Affected

Vendor Statement

The product can be configured to securely transmit the password. Please consult KB article KB12459 at the GE Fanuc Support Web Site for configuration information.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23180876 Feedback>).

CVSS Metrics

Group	Score	Vector
Base	0	AV:–/AC:–/Au:–/C:–/I:–/A:–
Temporal	0	E:ND/RL:ND/RC:ND
Environmental	0	CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

• <http://www.securityfocus.com/archive/1/487075/30/0/threaded&gt;
• http://support.gefanuc.com/support/index?page=kbchannel&id=KB12459
• <http://support.microsoft.com/kb/324274&gt;
• <http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/36ea667e-c578-43b5-87fa-a2f174efb27a.mspx&gt;
• <http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/iis/523ae943-5e6a-4200-9103-9808baa00157.mspx&gt;
• <http://www.gefanuc.com/as_en/gefanuc/resource_center/hmi_scada/hmiscada_security.html&gt;
• <http://java.sun.com/j2se/1.5.0/docs/guide/rmi/socketfactory/SSLInfo.html&gt;
• <http://java.sun.com/j2se/1.5.0/docs/guide/rmi/socketfactory/index.html&gt;
• <http://www.digitalmunition.com/hooked_on_fanucs.rb&gt;
• <http://www.digitalmunition.com/rtipsniff.rb&gt;
• <http://www.milw0rm.com/exploits/6921&gt;

Acknowledgements

This vulnerability was reported by Eyal Udassin of C4 Security.

This document was written by Chris Taschner.

Other Information

CVE IDs:	CVE-2008-0174
Severity Metric:	0.17 Date Public: