GE Intelligent Platforms Proficy HTML Help Vulnerabilities
Act Now8.8ICS-CERT ICSA-12-131-02Feb 11, 2012
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
GE Intelligent Platforms Proficy HTML Help contains a buffer overflow vulnerability in the KeyHelp.ocx ActiveX control that allows remote code execution when a user visits a malicious HTML file or webpage. The vulnerability is triggered through social engineering and affects multiple Proficy product lines: Historian, iFIX (HMI/SCADA), Pulse, Batch Execution, and SI7 I/O Driver. No security patches are available from GE. Mitigation requires unregistering and removing the vulnerable ActiveX control.
What this means
What could happen
An attacker could execute arbitrary code on a machine running these Proficy applications if a user clicks a malicious link or visits a compromised website. This could allow the attacker to gain control of engineering workstations, HMI systems, or data historian servers that manage critical process operations.
Who's at risk
Operators and engineers at energy utilities and manufacturing facilities using GE Proficy software suites are at risk. This includes sites using Proficy Historian for data collection, iFIX for HMI/SCADA operations, Proficy Pulse for monitoring, Batch Execution for process control, or SI7 I/O Drivers for device communication. Engineering workstations and operator consoles are the primary attack target.
How it could be exploited
An attacker crafts a malicious HTML file or webpage that exploits the KeyHelp.ocx ActiveX control vulnerability. When a user with one of the affected Proficy products installed visits the link (via email, phishing, or compromised website), the ActiveX control executes the attacker's code with the privileges of the logged-in user. No special network access to the plant network is required—only social engineering to get the user to click.
Prerequisites
- User with an affected Proficy product installed on their workstation must click a malicious link or visit a compromised website
- The KeyHelp.ocx ActiveX control must be registered and active on the victim's machine
- No special network access required
remotely exploitable via phishing or compromised websiteuser interaction required (clicking link)high complexity exploitation (requires crafted HTML/ActiveX)high EPSS score (69.4%)no patch available—product end-of-lifeaffects engineering workstations and control system interfaces
Exploitability
High exploit probability (EPSS 69.4%)
Affected products (6)
6 EOL
ProductAffected VersionsFix Status
Proficy Historian: 4.5|4.0|3.5|3.14.5|4.0|3.5|3.1No fix (EOL)
Proficy HMI/SCADA – iFIX: 5.1|5.05.1|5.0No fix (EOL)
Proficy Pulse: 1.01.0No fix (EOL)
Proficy Batch Execution: 5.65.6No fix (EOL)
SI7 I/O Driver: 7.20|7.427.20|7.42No fix (EOL)
SI7 I/O Driver: >=7.20|<=7.42≥ 7.20|≤ 7.42No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDUnregister and delete the KeyHelp.ocx ActiveX control following GE's specific instructions in GEIP12-04 security advisory for your affected product
Mitigations - no patch available
0/3The following products have reached End of Life with no planned fix: Proficy Historian: 4.5|4.0|3.5|3.1, Proficy HMI/SCADA – iFIX: 5.1|5.0, Proficy Pulse: 1.0, Proficy Batch Execution: 5.6, SI7 I/O Driver: 7.20|7.42, SI7 I/O Driver: >=7.20|<=7.42. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate engineering workstations and HMI/SCADA systems from the general business network and Internet
HARDENINGDeploy email content filtering and web gateway controls to block malicious links and phishing attempts targeting employees
HARDENINGTrain staff to recognize phishing emails and avoid clicking unsolicited links, especially those referencing help files or documentation
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/a5b288eb-c26e-4f42-8e9d-39754125858b