GE General Electric

KEPServerEX is vulnerable to a buffer overflow which may

CVE-2023-5908 9.1 - Critical - November 30, 2023

KEPServerEX is vulnerable to a buffer overflow which may allow an attacker to crash the product being accessed or leak information.

Classic Buffer Overflow

KEPServerEX does not properly validate certificates from clients which may

CVE-2023-5909 7.5 - High - November 30, 2023

KEPServerEX does not properly validate certificates from clients which may allow unauthenticated users to connect.

Improper Certificate Validation

General Electric MiCOM S1 Agile is vulnerable to an attacker achieving code execution by placing malicious DLL files in the directory of the application.

CVE-2023-0898 7.3 - High - November 07, 2023

General Electric MiCOM S1 Agile is vulnerable to an attacker achieving code execution by placing malicious DLL files in the directory of the application.

DLL preloading

GE CIMPLICITY 2023 is by a process control vulnerability, which could

CVE-2023-4487 7.8 - High - September 05, 2023

GE CIMPLICITY 2023 is by a process control vulnerability, which could allow a local attacker to insert malicious configuration files in the expected web server execution path to escalate privileges and gain full control of the HMI software.

Process Control

All versions of GE Digital CIMPLICITY

CVE-2023-3463 9.8 - Critical - July 19, 2023

All versions of GE Digital CIMPLICITY that are not adhering to SDG guidance and accepting documents from untrusted sources are vulnerable to memory corruption issues due to insufficient input validation, including issues such as out-of-bounds reads and writes, use-after-free, stack-based buffer overflows, uninitialized pointers, and a heap-based buffer overflow. Successful exploitation could allow an attacker to execute arbitrary code.

Memory Corruption

ToolboxST prior to version 7.10 is affected by a deserialization vulnerability

CVE-2023-1552 7.8 - High - April 11, 2023

ToolboxST prior to version 7.10 is affected by a deserialization vulnerability. An attacker with local access to an HMI or who has conducted a social engineering attack on an authorized operator could execute code in a Toolbox user's context through the deserialization of an untrusted configuration file. Two CVSS scores have been provided to capture the differences between the two aforementioned attack vectors.  Customers are advised to update to ToolboxST 7.10 which can be found in ControlST 7.10. If unable to update at this time customers should ensure they are following the guidance laid out in GE Gas Power's Secure Deployment Guide (GEH-6839). Customers should ensure they are not running ToolboxST as an Administrative user. 

Marshaling, Unmarshaling

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Kepware KEPServerEX 6.11.718.0

CVE-2022-2825 9.8 - Critical - March 29, 2023

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Kepware KEPServerEX 6.11.718.0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of text encoding conversions. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-18411.

Stack Overflow

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Kepware KEPServerEX 6.11.718.0

CVE-2022-2848 9.1 - Critical - March 29, 2023

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Kepware KEPServerEX 6.11.718.0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of text encoding conversions. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-16486.

Heap-based Buffer Overflow

GE Digital Proficy iFIX 2022, GE Digital Proficy iFIX v6.1, and GE Digital Proficy iFIX v6.5 are vulnerable to code injection, which may

CVE-2023-0598 9.8 - Critical - March 16, 2023

GE Digital Proficy iFIX 2022, GE Digital Proficy iFIX v6.1, and GE Digital Proficy iFIX v6.5 are vulnerable to code injection, which may allow an attacker to insert malicious configuration files in the expected web server execution path and gain full control of the HMI software.

Code Injection

The affected products are vulnerable to an integer overflow or wraparound, which could

CVE-2023-0754 9.8 - Critical - February 23, 2023

The affected products are vulnerable to an integer overflow or wraparound, which could allow an attacker to crash the server and remotely execute arbitrary code.

Integer Overflow or Wraparound

The affected products are vulnerable to an improper validation of array index, which could

CVE-2023-0755 9.8 - Critical - February 23, 2023

The affected products are vulnerable to an improper validation of array index, which could allow an attacker to crash the server and remotely execute arbitrary code.

out-of-bounds array index

An unauthorized user with network access and the decryption key could decrypt sensitive data

CVE-2022-38469 7.5 - High - January 18, 2023

An unauthorized user with network access and the decryption key could decrypt sensitive data, such as usernames and passwords.

Insufficiently Protected Credentials

An unauthorized user could be able to read any file on the system

CVE-2022-43494 6.5 - Medium - January 18, 2023

An unauthorized user could be able to read any file on the system, potentially exposing sensitive information.

An unauthorized user could possibly delete any file on the system.

CVE-2022-46331 8.1 - High - January 18, 2023

An unauthorized user could possibly delete any file on the system.

An unauthorized user could alter or write files with full control over the path and content of the file.

CVE-2022-46660 6.5 - Medium - January 18, 2023

An unauthorized user could alter or write files with full control over the path and content of the file.

Unrestricted File Upload

Even if the authentication fails for local service authentication

CVE-2022-46732 9.8 - Critical - January 18, 2023

Even if the authentication fails for local service authentication, the requested command could still execute regardless of authentication status.

Authentication Bypass Using an Alternate Path or Channel

GE CIMPICITY versions 2022 and prior is vulnerable when data from a faulting address controls code flow starting at gmmiObj!CGmmiRootOptionTable, which could

CVE-2022-3084 7.8 - High - December 08, 2022

GE CIMPICITY versions 2022 and prior is vulnerable when data from a faulting address controls code flow starting at gmmiObj!CGmmiRootOptionTable, which could allow an attacker to execute arbitrary code.

Access of Uninitialized Pointer

GE CIMPICITY versions 2022 and prior is vulnerable to an out-of-bounds write, which could

CVE-2022-3092 7.8 - High - December 08, 2022

GE CIMPICITY versions 2022 and prior is vulnerable to an out-of-bounds write, which could allow an attacker to execute arbitrary code.

Memory Corruption

GE CIMPICITY versions 2022 and prior is vulnerable when data from faulting address controls code flow starting at gmmiObj!CGmmiOptionContainer, which could

CVE-2022-2002 7.8 - High - December 07, 2022

GE CIMPICITY versions 2022 and prior is vulnerable when data from faulting address controls code flow starting at gmmiObj!CGmmiOptionContainer, which could allow an attacker to execute arbitrary code.

Untrusted Pointer Dereference

GE CIMPICITY versions 2022 and prior is vulnerable to a heap-based buffer overflow, which could

CVE-2022-2948 7.8 - High - December 07, 2022

GE CIMPICITY versions 2022 and prior is vulnerable to a heap-based buffer overflow, which could allow an attacker to execute arbitrary code.

Heap-based Buffer Overflow

GE CIMPICITY versions 2022 and prior is vulnerable when data from a faulting address controls code flow starting at gmmiObj!CGmmiOptionContainer, which could

CVE-2022-2952 7.8 - High - December 07, 2022

GE CIMPICITY versions 2022 and prior is vulnerable when data from a faulting address controls code flow starting at gmmiObj!CGmmiOptionContainer, which could allow an attacker to execute arbitrary code.

Access of Uninitialized Pointer

An HTTP response splitting vulnerability exists in the AM Gateway Challenge-Response dialog of WorkstationST (<v07.09.15) and could

CVE-2022-37953 6.1 - Medium - August 25, 2022

An HTTP response splitting vulnerability exists in the AM Gateway Challenge-Response dialog of WorkstationST (<v07.09.15) and could allow an attacker to compromise a victim's browser/session. WorkstationST is only deployed in specific, controlled environments rendering attack complexity significantly higher than if the attack were conducted on the software in isolation. WorkstationST v07.09.15 can be found in ControlST v07.09.07 SP8 and greater.

A reflected cross-site scripting (XSS) vulnerability exists in the iHistorian Data Display of WorkstationST (<v07.09.15) could

CVE-2022-37952 6.1 - Medium - August 25, 2022

A reflected cross-site scripting (XSS) vulnerability exists in the iHistorian Data Display of WorkstationST (<v07.09.15) could allow an attacker to compromise a victim's browser. WorkstationST is only deployed in specific, controlled environments rendering attack complexity significantly higher than if the attack were conducted on the software in isolation. WorkstationST v07.09.15 can be found in ControlST v07.09.07 SP8 and greater.

XSS

GE Gas Power ToolBoxST Version v04.07.05C suffers from an XML external entity (XXE) vulnerability using the DTD parameter entities technique

CVE-2021-44477 7.5 - High - March 25, 2022

GE Gas Power ToolBoxST Version v04.07.05C suffers from an XML external entity (XXE) vulnerability using the DTD parameter entities technique that could result in disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project/template file.

XXE

GE UR bootloader binary Version 7.00, 7.01 and 7.02 included unused hardcoded credentials

CVE-2021-27430 6.8 - Medium - March 23, 2022

GE UR bootloader binary Version 7.00, 7.01 and 7.02 included unused hardcoded credentials. Additionally, a user with physical access to the UR IED can interrupt the boot sequence by rebooting the UR.

Use of Hard-coded Credentials

The affected product is vulnerable due to cleartext transmission of credentials seen in the CIMPLICITY network

CVE-2022-21798 9.8 - Critical - February 25, 2022

The affected product is vulnerable due to cleartext transmission of credentials seen in the CIMPLICITY network, which can be easily spoofed and used to log in to make operational changes to the system.

Cleartext Transmission of Sensitive Information

Exploitation of this vulnerability may result in local privilege escalation and code execution

CVE-2022-23921 7.8 - High - February 25, 2022

Exploitation of this vulnerability may result in local privilege escalation and code execution. GE maintains exploitation of this vulnerability is only possible if the attacker has login access to a machine actively running CIMPLICITY, the CIMPLICITY server is not already running a project, and the server is licensed for multiple projects.

Improper Privilege Management

HMI/SCADA iFIX (Versions 6.1 and prior) allows a local authenticated user to modify system-wide iFIX configurations through the registry

CVE-2019-18243 5.5 - Medium - February 18, 2021

HMI/SCADA iFIX (Versions 6.1 and prior) allows a local authenticated user to modify system-wide iFIX configurations through the registry. This may allow privilege escalation.

Incorrect Permission Assignment for Critical Resource

HMI/SCADA iFIX (Versions 6.1 and prior) allows a local authenticated user to modify system-wide iFIX configurations through section objects

CVE-2019-18255 5.5 - Medium - February 18, 2021

HMI/SCADA iFIX (Versions 6.1 and prior) allows a local authenticated user to modify system-wide iFIX configurations through section objects. This may allow privilege escalation.

Incorrect Permission Assignment for Critical Resource

GE Digital APM Classic, Versions 4.4 and prior

CVE-2020-16244 7.2 - High - September 23, 2020

GE Digital APM Classic, Versions 4.4 and prior. Salt is not used for hash calculation of passwords, making it possible to decrypt passwords. This design flaw, along with the IDOR vulnerability, puts the entire platform at high risk because an authenticated user can retrieve all user account data and then retrieve the actual passwords.

GE Digital APM Classic, Versions 4.4 and prior

CVE-2020-16240 5.3 - Medium - September 23, 2020

GE Digital APM Classic, Versions 4.4 and prior. An insecure direct object reference (IDOR) vulnerability allows user account data to be downloaded in JavaScript object notation (JSON) format by users who should not have access to such functionality. An attacker can download sensitive data related to user accounts without having the proper privileges.

Insecure Direct Object Reference / IDOR

A local privilege escalation vulnerability has been identified in the GE Digital CIMPLICITY HMI/SCADA product v10.0 and prior

CVE-2020-6992 6.7 - Medium - April 15, 2020

A local privilege escalation vulnerability has been identified in the GE Digital CIMPLICITY HMI/SCADA product v10.0 and prior. If exploited, this vulnerability could allow an adversary to modify the system, leading to the arbitrary execution of code. This vulnerability is only exploitable if an attacker has access to an authenticated session. GE Digital CIMPLICITY v11.0, released January 2020, contains mitigation for this local privilege escalation vulnerability. GE Digital recommends all users upgrade to GE CIMPLICITY v11.0 or newer.

Improper Privilege Management

GE Mark VIe Controller has an unsecured Telnet protocol

CVE-2019-13554 8.8 - High - April 07, 2020

GE Mark VIe Controller has an unsecured Telnet protocol that may allow a user to create an authenticated session using generic default credentials. GE recommends that users disable the Telnet service.

AuthZ

GE Mark VIe Controller is shipped with pre-configured hard-coded credentials that may allow root-user access to the controller

CVE-2019-13559 7.8 - High - April 07, 2020

GE Mark VIe Controller is shipped with pre-configured hard-coded credentials that may allow root-user access to the controller. A limited application of the affected product may ship without setup and configuration instructions immediately available to the end user. The bulk of controllers go into applications requiring the GE commissioning engineer to change default configurations during the installation process. GE recommends that users reset controller passwords during installation in the operating environment.

Use of Hard-coded Credentials

GE Communicator, all versions prior to 4.0.517

CVE-2019-6546 7.8 - High - May 09, 2019

GE Communicator, all versions prior to 4.0.517, allows an attacker to place malicious files within the working directory of the program, which may allow an attacker to manipulate widgets and UI elements.

DLL preloading

GE Communicator, all versions prior to 4.0.517

CVE-2019-6566 7.8 - High - May 09, 2019

GE Communicator, all versions prior to 4.0.517, allows a non-administrative user to replace the uninstaller with a malicious version, which could allow an attacker to gain administrator privileges to the system.

Authorization

GE Communicator, all versions prior to 4.0.517

CVE-2019-6564 7.8 - High - May 09, 2019

GE Communicator, all versions prior to 4.0.517, allows a non-administrative user to place malicious files within the installer file directory, which may allow an attacker to gain administrative privileges on a system during installation or upgrade.

DLL preloading

GE Communicator, all versions prior to 4.0.517, contains two backdoor accounts with hardcoded credentials, which may

CVE-2019-6548 9.8 - Critical - May 09, 2019

GE Communicator, all versions prior to 4.0.517, contains two backdoor accounts with hardcoded credentials, which may allow control over the database. This service is inaccessible to attackers if Windows default firewall settings are used by the end user.

Use of Hard-coded Credentials

GE Communicator, all versions prior to 4.0.517, has a service running with system privileges

CVE-2019-6544 5.6 - Medium - May 09, 2019

GE Communicator, all versions prior to 4.0.517, has a service running with system privileges that may allow an unprivileged user to perform certain administrative actions, which may allow the execution of scheduled scripts with system administrator privileges. This service is inaccessible to attackers if Windows default firewall settings are used by the end user.

Authorization

XXE in GE Proficy Cimplicity GDS versions 9.0 R2

CVE-2018-15362 9.1 - Critical - December 07, 2018

XXE in GE Proficy Cimplicity GDS versions 9.0 R2, 9.5, 10.0

XXE

Multiple instances of this vulnerability (Unsafe ActiveX Control Marked Safe For Scripting) have been identified in the third-party ActiveX object provided to GE iFIX versions 2.0 - 5.8 by Gigasoft

CVE-2018-17925 4.8 - Medium - October 10, 2018

Multiple instances of this vulnerability (Unsafe ActiveX Control Marked Safe For Scripting) have been identified in the third-party ActiveX object provided to GE iFIX versions 2.0 - 5.8 by Gigasoft. Only the independent use of the Gigasoft charting package outside the iFIX product may expose users to the reported vulnerability. The reported method shown to impact Internet Explorer is not exposed in the iFIX product, nor is the core functionality of the iFIX product known to be impacted.

Directory traversal may lead to files being exfiltrated or deleted on the GE MDS PulseNET and MDS PulseNET Enterprise version 3.2.1 and prior host platform.

CVE-2018-10615 8.1 - High - June 04, 2018

Directory traversal may lead to files being exfiltrated or deleted on the GE MDS PulseNET and MDS PulseNET Enterprise version 3.2.1 and prior host platform.

Directory traversal

Multiple variants of XML External Entity (XXE) attacks may be used to exfiltrate data

CVE-2018-10613 7.5 - High - June 04, 2018

Multiple variants of XML External Entity (XXE) attacks may be used to exfiltrate data from the host Windows platform in GE MDS PulseNET and MDS PulseNET Enterprise version 3.2.1 and prior.

XXE

Java remote method invocation (RMI) input port in GE MDS PulseNET and MDS PulseNET Enterprise version 3.2.1 and prior may be exploited to

CVE-2018-10611 9.8 - Critical - June 04, 2018

Java remote method invocation (RMI) input port in GE MDS PulseNET and MDS PulseNET Enterprise version 3.2.1 and prior may be exploited to allow unauthenticated users to launch applications and support remote code execution through web services.

authentification

An issue was discovered in General Electric (GE) Proficy HMI/SCADA iFIX Version 5.8 SIM 13 and prior versions

CVE-2016-9360 6.7 - Medium - February 13, 2017

An issue was discovered in General Electric (GE) Proficy HMI/SCADA iFIX Version 5.8 SIM 13 and prior versions, Proficy HMI/SCADA CIMPLICITY Version 9.0 and prior versions, and Proficy Historian Version 6.0 and prior versions. An attacker may be able to retrieve user passwords if he or she has access to an authenticated session.

Insufficiently Protected Credentials

General Electric (GE) Digital Proficy HMI/SCADA - CIMPLICITY before 8.2 SIM 27 mishandles service DACLs, which

CVE-2016-5787 6.3 - Medium - July 15, 2016

General Electric (GE) Digital Proficy HMI/SCADA - CIMPLICITY before 8.2 SIM 27 mishandles service DACLs, which allows local users to modify a service configuration via unspecified vectors.

Exposure of Resource to Wrong Sphere

GE Fanuc Proficy Real-Time Information Portal 2.6 and earlier uses HTTP Basic Authentication, which transmits usernames and passwords in base64-encoded cleartext and

CVE-2008-0174 9.8 - Critical - January 29, 2008

GE Fanuc Proficy Real-Time Information Portal 2.6 and earlier uses HTTP Basic Authentication, which transmits usernames and passwords in base64-encoded cleartext and allows remote attackers to steal the passwords and gain privileges.

Cleartext Storage of Sensitive Information