4.6 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
6.3 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
0.0004 Low
EPSS
Percentile
5.3%
Zhou Yu of Acorn Network Security identified an improper privilege management vulnerability and recently released exploit code for the GE Proficy HMI/SCADA CIMPLICITY application without coordination with ICS-CERT, the vendor, or any other coordinating entity known to ICS-CERT. GE produced a new version to mitigate this vulnerability in August 2014.
Exploits that target this vulnerability are known to be publicly available.
The following Proficy HMI/SCADA–CIMPLICITY versions are affected:
Successful exploitation of the vulnerability may allow an authenticated user on the system to modify the configuration of the CIMPLICITY service and launch any executable on the system as a service.
Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.
GE is a US-based company that maintains offices in several countries around the world.
The affected product, Proficy HMI/SCADA–CIMPLICITY, is a Client/Server-based human-machine interface/supervisory control and data acquisition (HMI/SCADA) application. According to GE, Proficy HMI/SCADA–CIMPLICITY is deployed across several sectors.
Vulnerable versions may allow users to modify the CIMPLICITY service to edit the configuration of a service.
CVE-2016-5787NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5787, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v3 base score of 5.7 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L).CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L, web site last accessed July 12, 2016.
This vulnerability is not exploitable remotely and cannot be exploited without user interaction. The exploit is only triggered when a local user runs the vulnerable application and loads a malicious file.
Exploits that target this vulnerability are publicly available.
An attacker with a low skill would be able to exploit this vulnerability. Social engineering is required to convince the user to accept a malicious file. Additional user interaction is needed to load the malformed file. This decreases the likelihood of a successful exploit.
In response to a recent public disclosure of proof-of-concept exploit code, GE has released a notification to its users of the identified vulnerability in an older version of the Proficy HMI/SCADA–CIMPLICITY application, along with the mitigation. GE’s notification is available at the following location:
<https://ge-ip.force.com/communities/en_US/Article/GE-Digital-Security-Advisory-GED-16-01>
In August 2014, GE released a new version of Proficy HMI/SCADA–CIMPLICITY, Version 8.2, Sim 27 that mitigated the identified vulnerability, which is available at the following location with a valid account:
<https://ge-ip.force.com/communities/en_US/Download/CIMPLICITY-8-2-SIM-27-DN>
GE recommends that users upgrade to Proficy HMI/SCADA–CIMPLICITY, Version 8.2, SIM 27 or later versions. The latest version of CIMPLICITY Version 8.2 SIM 43, is available at the following location, with a valid account:
<https://ge-ip.force.com/communities/en_US/Download/CIMPLICITY-8-2-SIM-43>
ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page at: http://ics-cert.us-cert.gov/content/recommended-practices. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site (http://ics-cert.us-cert.gov/).
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:
ge-ip.force.com/communities/en_US/Article/GE-Digital-Security-Advisory-GED-16-01
ge-ip.force.com/communities/en_US/Download/CIMPLICITY-8-2-SIM-27-DN
ge-ip.force.com/communities/en_US/Download/CIMPLICITY-8-2-SIM-43
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=%20GE%20Proficy%20HMI%20SCADA%20CIMPLICITY%20Privilege%20Management%20Vulnerability+https://www.cisa.gov/news-events/ics-advisories/icsa-16-194-02
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-16-194-02&title=%20GE%20Proficy%20HMI%20SCADA%20CIMPLICITY%20Privilege%20Management%20Vulnerability
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-16-194-02
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-16-194-02
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=%20GE%20Proficy%20HMI%20SCADA%20CIMPLICITY%20Privilege%20Management%20Vulnerability&body=www.cisa.gov/news-events/ics-advisories/icsa-16-194-02
4.6 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
6.3 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
0.0004 Low
EPSS
Percentile
5.3%