GE Proficy Historian ihDataArchiver
Low RiskICS-CERT ICSA-12-032-01Nov 4, 2012
Summary
A buffer overflow vulnerability exists in GE Proficy Historian ihDataArchiver service in version 4.5 and earlier. An unauthenticated remote attacker can send a specially crafted message to the archive service to trigger memory corruption and potentially execute arbitrary code with service-level privileges on the host computer. The historian service is responsible for collecting, storing, and serving historical trend data across HMI/SCADA systems including CIMPLICITY and iFIX.
What this means
What could happen
An attacker can overrun a memory buffer in the Proficy Historian archive service, potentially executing code on the system that controls data logging and archival for critical industrial processes. This could allow unauthorized access to or modification of historical operational data, or disruption of the historian service itself.
Who's at risk
Energy and manufacturing facilities using GE Proficy Historian version 4.5 or earlier for process data archival and reporting. This includes any HMI/SCADA systems (CIMPLICITY or iFIX) that depend on Proficy Historian 4.5 or prior for logging and trend data. Water authorities and utilities with GE historian-based data systems are affected.
How it could be exploited
An attacker with network access to the Proficy Historian ihDataArchiver service (typically on port 5995 or through remote network calls) can send a specially crafted message to trigger a buffer overflow in the archive data processing routine. If successful, this allows arbitrary code execution with the service account privileges, typically system or administrative level on the host computer.
Prerequisites
- Network access to Proficy Historian ihDataArchiver service on the host running Proficy Historian (port 5995 or similar)
- Proficy Historian version 4.5 or earlier installed and running
- No authentication is required to send the malicious message
Buffer overflow vulnerability (CWE-119)No patch available from vendorNo authentication required for exploitationRemotely exploitable over networkAffects data integrity and system availabilityImpacts critical industrial control and monitoring systems
Exploitability
Moderate exploit probability (EPSS 5.4%)
Affected products (3)
3 EOL
ProductAffected VersionsFix Status
Proficy Historian: <=4.5≤ 4.5No fix (EOL)
Proficy HMI/SCADA–CIMPLICITY with Proficy Historian 4.5 or prior installed: 8.28.2No fix (EOL)
Proficy HMI/SCADA–iFIX with Proficy Historian 4.5 or prior installed: 5.5|5.0|5.15.5|5.0|5.1No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2HARDENINGIsolate Proficy Historian servers from untrusted networks using firewall rules to restrict inbound access to port 5995 and related historian communication ports to only authorized engineering workstations and data collection servers
HARDENINGMonitor Proficy Historian ihDataArchiver service for unexpected restarts, which may indicate exploitation attempts
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGReview network access logs and historian audit logs for suspicious connections to the archive service
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: Proficy Historian: <=4.5, Proficy HMI/SCADA–CIMPLICITY with Proficy Historian 4.5 or prior installed: 8.2, Proficy HMI/SCADA–iFIX with Proficy Historian 4.5 or prior installed: 5.5|5.0|5.1. Apply the following compensating controls:
HARDENINGEvaluate migration or upgrade path to a newer vendor solution, as GE Vernova has not provided patches for affected versions
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/69a27462-32b0-4621-b461-175f7dab4d57