GE Fanuc releases info on iFIX vulnerabilities VU# 310355

If you’ve been looking for my slides from the SCADA Summit that included information on the GE Fanuc iFIX vulnerabilities that I discovered and reported, then you’re still out of luck, but this is just as good, really.  If you’re an end-user of iFIX, or a penetration tester/red-team member testing installations of iFIX products, this is really all the info you need:

• GE Fanuc: Knowledge Base: Security Issue: CERT Reported Vulnerabilities in iFIX Security

It’s a pretty good prose description of the vulnerabilities, in more detail than I was expecting from them.  Boiling it down to a couple of bullet points, these vulnerabilities encompass the following issues (trying not to put it in more detail than their write-up):

• Password storage is done in an easily reversible manner
• “Network” authentication involves passing the file over Windows shares without additional encryption/protection
• Authentication of users can be bypassed, as iFIX’s security measures for managing users’ access run in the context of the currently-logged-in Windows user that is running the iFIX system.
• Features that prevent operators from exiting the HMI screen can be bypassed with an auto-run capable USB drive (such as U3).

There are some excellent suggestions for end-users that would allow them to mitigate the impact of these vulnerabilities until they are fixed in a future release of iFIX.  There’s good advice in there, even if you’re running something other than iFIX for your HMI.

Enjoy!

Edit: Quick edit for clarity.