OTPulse
FeedAboutContact

GE Digital CIMPLICITY

Monitor6ICS-CERT ICSA-20-098-02Apr 7, 2020
Attack VectorLocal
Auth RequiredHigh
ComplexityHigh
User InteractionNone needed
Summary

GE Digital CIMPLICITY versions 10.0 and earlier contain a local privilege escalation vulnerability in configuration management (CWE-269) that allows an attacker with high privileges to modify systemwide CIMPLICITY configuration and execute arbitrary code. The vulnerability is not remotely exploitable and no public exploits are known. GE Digital has released version 11.0 (January 2020) containing mitigations for this issue. Versions 10.0 and earlier will not receive patches and are end-of-support.

What this means
What could happen
An attacker with administrative privileges on the CIMPLICITY workstation could modify the system configuration and execute arbitrary code, potentially altering process setpoints, halting operations, or corrupting historical data in energy generation or distribution systems.
Who's at risk
Energy utilities and generation facilities operating GE Digital CIMPLICITY supervisory systems running version 10.0 or earlier. This includes SCADA/HMI workstations used for process monitoring and configuration in power generation, transmission, and distribution environments.
How it could be exploited
An attacker with local administrative or high-privilege access to a CIMPLICITY v10.0 or earlier workstation can exploit an improper privilege escalation flaw to modify the systemwide CIMPLICITY configuration files and execute arbitrary commands with system-level permissions.
Prerequisites
  • Local access to the CIMPLICITY workstation
  • High privilege account or ability to escalate privileges locally
  • CIMPLICITY version 10.0 or earlier
No patch available for v10.0 and priorAffects control system configuration capabilitiesHigh privilege requirement (reduces immediate risk)Local access only (reduces remote attack risk)CIMPLICITY is end-of-life software
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
GE Digital CIMPLICITY: v10.0 and prior are affected by this vulnerability≤ 10.011.0
Remediation & Mitigation
0/5
Do now
0/2
HARDENINGApply principle of least privilege to all CIMPLICITY user accounts
HARDENINGRestrict physical and logical access to CIMPLICITY systems to authorized personnel only
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade GE Digital CIMPLICITY to version 11.0 or newer
HARDENINGIsolate CIMPLICITY workstations from business network and Internet access behind firewalls
HARDENINGReview and apply GE Digital's Secure Deployment Guide for CIMPLICITY configuration hardening
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/2f750b01-ab31-4933-92bf-a7a420d3fc36
GE Digital CIMPLICITY | CVSS 6 - OTPulse