GE iFIX

Monitor7.8ICS-CERT ICSA-23-073-03Mar 29, 2023

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

This vulnerability in GE Proficy iFIX versions 2022, 6.1, and 6.5 allows privilege escalation via code injection (CWE-94). A user with local access to a iFIX workstation can execute arbitrary code with system-level privileges, gaining full control over the HMI system and any connected industrial equipment. This is not remotely exploitable; an attacker must have local user-level access to the affected system.

What this means

What could happen

An attacker with local access could escalate privileges and gain full control of the iFIX system, potentially allowing them to modify process data, alter setpoints, or halt operations on connected industrial equipment.

Who's at risk

Water utilities, electric utilities, and other critical infrastructure operators running GE Proficy iFIX HMI/SCADA systems should be concerned. iFIX is used to monitor and control industrial processes including water distribution, treatment, electrical generation, and transmission systems.

How it could be exploited

An attacker with local user-level access to a iFIX workstation can exploit a code injection vulnerability to escalate privileges and execute arbitrary commands as system administrator, giving them full control over the HMI/SCADA system and any connected devices.

Prerequisites

Local access to a iFIX workstation
Standard user account or equivalent credentials on the iFIX system

Local access required (not remotely exploitable)Low complexity privilege escalationAffects production control system (HMI/SCADA)No patch available for older versions

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (3)

3 pending

ProductAffected VersionsFix Status

Proficy iFIX: 20222022No fix yet

Proficy iFIX: v6.16.1No fix yet

Proficy iFIX: v6.56.5No fix yet

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGConfigure and enforce Access Control Lists (ACLs) per the Secure Deployment Guide to restrict local access to iFIX workstations

HARDENINGRestrict local physical and network access to iFIX systems to authorized personnel only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade to Proficy iFIX 2023

HOTFIXApply Simulation Driver (SIM) security patches to iFIX 2022, v6.1, or v6.5 if upgrade to 2023 is not immediately possible

Long-term hardening

0/1

HARDENINGIsolate iFIX workstations and control system networks from business networks with firewalls

CVEs (1)

CVE-2023-0598

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a82c9ef3-b029-4a95-8fea-3bf36cf297bf