Pro-face GP-Pro EX HMI Vulnerabilities

Act Now9.1ICS-CERT ICSA-16-096-01Jan 7, 2016

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Pro-face GP-Pro EX HMI versions 1.00 through 4.0.3 contain multiple memory safety vulnerabilities (buffer overflow, out-of-bounds read/write) in the EX runtime environment. These vulnerabilities (CWE-122, CWE-125, CWE-121, CWE-798) allow an unauthenticated network attacker to read sensitive data from memory or write to process memory without user interaction. The affected products include EX-ED, PFXEXEDV, PFXEXEDLS, and PFXEXGRPLS. No vendor patch is available.

What this means

What could happen

An attacker with network access to the HMI could exploit multiple memory safety vulnerabilities to read sensitive data or modify process parameters and operator screens, potentially disrupting manufacturing operations.

Who's at risk

Manufacturing facilities and plants using Pro-face GP-Pro EX HMI software (models EX-ED, PFXEXEDV, PFXEXEDLS, PFXEXGRPLS) in versions below 4.0.4. This affects any operator workstation or panel PC running the vulnerable HMI software that interfaces with manufacturing equipment, assembly lines, or process control systems.

How it could be exploited

An attacker sends a specially crafted network packet to the vulnerable HMI application. The packet triggers a buffer overflow or out-of-bounds memory access (CWE-122, CWE-125, CWE-121) in the EX runtime environment, allowing the attacker to read memory (such as credentials) or write to memory to alter HMI behavior and connected control system commands.

Prerequisites

Network access to the HMI device (typically port 502 Modbus or HTTP/HTTPS port used by Pro-face)
No authentication required to send the malicious packet

Remotely exploitableNo authentication requiredLow complexity attackNo patch availableMemory safety vulnerabilities (buffer overflow, out-of-bounds access)CVSS 9.1 critical severity

Exploitability

Moderate exploit probability (EPSS 1.6%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

EX-ED: >=1.00|<4.0.4≥ 1.00|<4.0.44.0.4

PFXEXEDV: >=1.00|<4.0.4≥ 1.00|<4.0.44.0.4

PFXEXEDLS: >=1.00|<4.0.4≥ 1.00|<4.0.44.0.4

PFXEXGRPLS: >=1.00|<4.0.4≥ 1.00|<4.0.44.0.4

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGNetwork segregation: Place the GP-Pro EX HMI on a dedicated manufacturing network segment with access controls and firewall rules limiting inbound connections to authorized engineering and SCADA systems only

HARDENINGDisable remote access: If remote engineering or monitoring is not required, disable or restrict network access to the HMI to local connections only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDMonitor for exploitation attempts: Enable logging and network monitoring for unusual connection patterns or malformed packets to the HMI

Long-term hardening

0/1

HARDENINGEvaluate replacement: Since no vendor patch is available, assess the feasibility of upgrading to a newer Pro-face HMI platform or alternative vendor solution that receives security updates

CVEs (4)

CVE-2016-2291 CVE-2016-2290 CVE-2016-2292 CVE-2015-7921

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9186169f-dd1c-4f0b-8c14-16e826ff6904