GE Gas Power ToolBoxST

Plan Patch7.5ICS-CERT ICSA-22-025-01Jan 25, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

ToolBoxST OS versions prior to 07.09.07C contain XML vulnerabilities (CWE-611: XML External Entity injection, CWE-22: path traversal) that allow remote attackers to read sensitive files or write arbitrary content. CVE-2021-44477 exploits improper DTD handling in XML parsing; CVE-2018-16202 affects the Ionic library. Successful exploitation could result in data exfiltration, arbitrary file write/overwrite, or code execution. The vulnerabilities require only network access and no credentials.

What this means

What could happen

An attacker with network access to ToolBoxST could read sensitive data or write arbitrary files to the system, potentially compromising engineering data or enabling malicious commands to be executed on connected controllers.

Who's at risk

Gas turbine and power generation operators using GE ToolBoxST for control system engineering and configuration. This affects energy and oil & gas facilities that use ToolBoxST to manage or program controllers that regulate turbines, generators, and process systems.

How it could be exploited

An attacker on the network sends a specially crafted XML request with external DTD (document type definition) references or path traversal payloads to ToolBoxST. The application parses the XML without proper validation, allowing the attacker to exfiltrate configuration files or inject malicious content into the system.

Prerequisites

Network access to ToolBoxST (port/service unspecified in advisory)
No credentials required
ToolBoxST OS version prior to 07.09.07C

remotely exploitableno authentication requiredlow complexitydata exfiltration possiblearbitrary write/file execution possible

Exploitability

Moderate exploit probability (EPSS 1.5%)

Affected products (1)

ProductAffected VersionsFix Status

ToolBoxST OS: All< 07.09.07C07.09.07C

Remediation & Mitigation

0/8

Do now

0/1

WORKAROUNDEnable SDI Secure Mode to validate command authenticity and prevent spoofing of SDI download operations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade ToolBoxST OS to version 07.09.07C or later

Long-term hardening

0/6

HARDENINGImplement network segmentation to isolate ToolBoxST and connected controllers from untrusted networks

HARDENINGPlace controllers behind a controls network firewall and ensure they are not accessible from the Internet

HARDENINGImplement IDS/IPS and network access control (NAC) within the controls network

HARDENINGDisable remote access services (RDP, etc.) unless required; monitor and restrict on least-privilege basis

HARDENINGFollow password protection and network segmentation guidance in GE document GEH-6839 Secure Deployment Guide

HARDENINGMaintain anti-malware and endpoint detection and response (EDR) solutions

CVEs (2)

CVE-2021-44477 CVE-2018-16202

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1c37d7e0-f8b6-4471-8267-3c4512cbfbe8