GE Digital APM Classic

Plan Patch7.5ICS-CERT ICSA-20-266-01Sep 22, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

GE Digital APM Classic versions 4.4 and earlier contain vulnerabilities (CWE-639, CWE-759) that allow unauthenticated remote access to sensitive information. An attacker on the network can read confidential data without valid credentials. GE Digital APM Classic 4.5 or later contains mitigations for these vulnerabilities. Versions 4.4 and earlier have no fix available.

What this means

What could happen

An attacker with network access to APM Classic can read sensitive information from the system, such as configuration data or credentials, without needing to authenticate.

Who's at risk

Energy sector organizations using GE Digital APM Classic for asset and performance management should be concerned, particularly utilities managing generation, transmission, or distribution assets. Affected versions 4.4 and earlier run on both Windows servers and edge devices that may be integrated with SCADA or other control systems.

How it could be exploited

An attacker on the network sends unauthenticated requests to APM Classic to access sensitive data. The vulnerability allows information disclosure without requiring valid credentials or user interaction.

Prerequisites

Network access to APM Classic system
APM Classic version 4.4 or earlier deployed

Remotely exploitableNo authentication requiredLow complexityInformation disclosure of sensitive dataNo patch available for versions below 4.5

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

APM Classic:≤ 4.44.5

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGImplement network firewall rules to restrict access to APM Classic from the internet and limit connectivity to authorized internal networks only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade GE Digital APM Classic to version 4.5 or later

Long-term hardening

0/2

HARDENINGIsolate APM Classic system and control system networks behind firewalls, separate from the business network

HARDENINGIf remote access to APM Classic is necessary, use a VPN to encrypt traffic and require strong authentication

CVEs (2)

CVE-2020-16240 CVE-2020-16244

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1cce3ca8-b771-4182-b97e-c38643401f54