GE Proficy GDS

Plan Patch8.2ICS-CERT ICSA-18-340-01Dec 6, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

GE Proficy GDS (Cimplicity HMI/SCADA software) versions 9.0 R2, 9.5, and 10.0 contain an XXE (XML External Entity) vulnerability in the OPC UA protocol handler that allows unauthenticated remote retrieval of arbitrary files from the server. An attacker can establish an OPC UA session and request sensitive files such as configuration databases, user credentials, or process parameters without providing valid credentials. CWE-611: Improper Restriction of XML External Entity Reference.

What this means

What could happen

An attacker with network access to the OPC UA port could retrieve arbitrary files from the Cimplicity server without authentication, exposing sensitive configuration data, credentials, or process information needed to plan further attacks.

Who's at risk

Energy sector organizations using GE Cimplicity (versions 9.0 R2, 9.5, or 10.0) for SCADA, HMI, or data gateway functions should assess their exposure. This affects any water authority or electric utility running Cimplicity for real-time monitoring and control of substations, generation plants, or distribution networks.

How it could be exploited

An attacker initiates an OPC UA session to the Cimplicity server over the network (port 48010 by default). The OPC UA protocol is abused to issue file read requests without providing valid credentials. The server returns the requested file contents, allowing the attacker to exfiltrate sensitive data.

Prerequisites

Network access to the OPC UA port (default 48010) on the Cimplicity server
OPC UA client software
No credentials required

remotely exploitableno authentication requiredlow complexitydefault OPC UA port exposedaffects SCADA/HMI systemsno patch available for affected versions

Exploitability

Moderate exploit probability (EPSS 1.3%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

Cimplicity: 9.59.52.1

Cimplicity: 10.010.02.1

Cimplicity: 9.0 R29.0 R22.1

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDBlock or restrict network access to OPC UA ports (default 48010) from untrusted networks using firewall rules or access control lists

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate to GE Proficy GDS Version 2.1 or newer

Long-term hardening

0/2

HARDENINGIsolate Cimplicity servers from the business network and the Internet; place behind a firewall with inbound access restricted to authorized engineering workstations and control system networks only

HARDENINGIf remote access to Cimplicity is required, use a VPN with strong authentication and keep VPN software patched

CVEs (1)

CVE-2018-15362

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0c3bbf42-df26-48f3-8c42-ba14c66b7cc4