7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.04 Low
EPSS
Percentile
92.1%
CVSS v3 7.3
ATTENTION: Exploitable remotely/low skill level to exploit
Vendor: GE
**Equipment:**MDS PulseNET and MDS PulseNET Enterprise
**Vulnerabilities:**Improper Authentication, Improper Restriction of XML External Entity Reference, Relative Path Traversal
Exploitation of these vulnerabilities may allow elevation of privilege and exfiltration of information on the host platform.
GE reports that the vulnerabilities affect the following MDS PulseNET products:
Java Remote Method Invocation (RMI) input port may be exploited to allow unauthenticated users to launch applications and support remote code execution through Web Services.
CVE-2018-10611 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Multiple variants of XML External Entity (XXE) attacks may be used to exfiltrate data from the host Windows platform.
CVE-2018-10613 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
Directory traversal may lead to files being exfiltrated or deleted on the host platform.
CVE-2018-10615 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
rgod reported the vulnerabilities to Zero Day Initiative (ZDI).
GE has modified the product architecture and software of PulseNET. The latest version mitigates these specific vulnerabilities. GE encourages users to update PulseNET to Version 4.1 or newer to eliminate these vulnerabilities.
Updates for PulseNET are available at:
<http://www.gegridsolutions.com/Communications/MDS/PulseNET_Download.aspx>
Updates to PulsetNET Enterprise are available at:
<http://www.gegridsolutions.com/Communications/MDS/PulseNETEnt_Download.aspx>
In addition, GE recommends securing the PulseNET server using a defense in depth approach. Some key security considerations when deploying the PulseNET application include ensuring:
GE has published a product bulletin with mitigation for these vulnerabilities on their webpage at the following location:
http://www.gegridsolutions.com/app/DownloadFile.aspx?prod=pulsenet&type=9&file=1 (login required).
NCCIC recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10611
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10613
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10615
www.gegridsolutions.com/app/DownloadFile.aspx?prod=pulsenet&type=9&file=1
www.gegridsolutions.com/Communications/MDS/PulseNETEnt_Download.aspx
www.gegridsolutions.com/Communications/MDS/PulseNET_Download.aspx
cwe.mitre.org/data/definitions/23.html
cwe.mitre.org/data/definitions/287.html
cwe.mitre.org/data/definitions/611.html
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=GE%20MDS%20PulseNET%20and%20MDS%20PulseNET%20Enterprise+https://www.cisa.gov/news-events/ics-advisories/icsa-18-151-02
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-18-151-02&title=GE%20MDS%20PulseNET%20and%20MDS%20PulseNET%20Enterprise
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-18-151-02
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-18-151-02
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=GE%20MDS%20PulseNET%20and%20MDS%20PulseNET%20Enterprise&body=www.cisa.gov/news-events/ics-advisories/icsa-18-151-02
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.04 Low
EPSS
Percentile
92.1%