All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.
ICS-CERT originally released Advisory ICSA-11-243-02P on the US-CERT secure Portal on August 31, 2011. ICS-CERT has received a report from independent security researchers Billy Rios and Terry McCorkle concerning multiple cross-site scripting (XSS) vulnerabilities in the GE Intelligent Platforms Proficy Historian Web Administrator software.
ICS-CERT has coordinated this vulnerability with GE and the researchers, and GE has made recommendations to reduce the potential attack surface. The affected product, Historian Web Administrator with Proficy Historian, is considered by GE to be a legacy component; as a result, GE is not issuing a patch for this vulnerability.
This vulnerability affects the following products:
- Proficy Historian: All versions
- Proficy HMI/SCADACIMPLICITY: Version 8.1and 8.2 (If Historian is installed).
- Proficy HMI/SCADAiFIX: Versions 5.0 and 5.1 (If Historian is installed).
This vulnerability could allow an attacker to obtain information and to execute arbitrary client-side scripts to support further attacks.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.
Proficy Historian is a data historian that collects, archives, and distributes production information. According to GE, the Proficy Historian product is deployed across multiple industries worldwide.
An XSS vulnerability exists in the Historian Web Administrator because it lacks server-side validation of query string parameter values. Attacks that exploit these vulnerabilities require that a user visit a specially crafted URL, which injects client-side scripts into the server’s HTTP response to the client.
Successful exploitation of this vulnerability could allow an attacker to obtain information and to execute arbitrary client-side scripts to support further attacks.
CVE-2011-3320 has been assigned to this vulnerability.
This vulnerability is remotely exploitable.
Existence of Exploit
No publicly available exploits specifically targeting this vulnerability are known to exist.
Exploiting this vulnerability requires a low to moderate skill set.
GE Intelligent Platforms does not recommend that customers install or use the Historian Web Administrator component with Proficy Historian. According to GE, the Historian Web Administrator is a legacy product component that should be removed from systems running the affected software to reduce the potential attack surface. According to GE, the “Administrative Website” option will be removed from the Historian Install Wizard in future versions of the Historian product.
GE recommends that customers follow these steps to remove installed copies of the Historian Web Administrator:
- Open Windows Explorer.
- Navigate to the Windows directory where the Historian Web Administrator is installed. By default, this is in the IIS directory C:\inetpub\wwwroot.
- Right click on the “Historian” folder and select “Delete” to delete that folder.
ICS-CERT recommends that customers using the affected product consider taking the following proactive measures to decrease the likelihood of successful exploitation of this vulnerability:
- ICS-CERT encourages asset owners to minimize network exposure for all control system devices. Critical devices should not directly face the Internet.
- Locate control system networks and remote devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
GE Intelligent Platforms advises customers to follow the recommendations in the security advisory which can be found at: http://support.ge-ip.com/support/index?page=kbchannel&id=S:KB14493. Access to the advisory requires a valid GE SSO ID and Customer Service Number.
The Control Systems Security Program (CSSP) provides a recommended practices section for control systems security on the CSSP web page. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:
- Do not click web links or open unsolicited attachments in e-mail messages.
- Refer to Recognizing and Avoiding Email Scams for more information on avoiding e-mail scams.
- Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
For any questions related to this report, please contact the NCCIC at:
Toll Free: 1-888-282-0870
The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.