If you’ve been looking for my slides from the SCADA Summit that included information on the GE Fanuc iFIX vulnerabilities that I discovered and reported, then you’re still out of luck, but this is just as good, really. If you’re an end-user of iFIX, or a penetration tester/red-team member testing installations of iFIX products, this is really all the info you need:
It’s a pretty good prose description of the vulnerabilities, in more detail than I was expecting from them. Boiling it down to a couple of bullet points, these vulnerabilities encompass the following issues (trying not to put it in more detail than their write-up):
- Password storage is done in an easily reversible manner
- “Network” authentication involves passing the file over Windows shares without additional encryption/protection
- Authentication of users can be bypassed, as iFIX’s security measures for managing users’ access run in the context of the currently-logged-in Windows user that is running the iFIX system.
- Features that prevent operators from exiting the HMI screen can be bypassed with an auto-run capable USB drive (such as U3).
There are some excellent suggestions for end-users that would allow them to mitigate the impact of these vulnerabilities until they are fixed in a future release of iFIX. There’s good advice in there, even if you’re running something other than iFIX for your HMI.
Enjoy!
Edit: Quick edit for clarity.
[...] contact Wesley McGrew: | email – wesley@mcgrewsecurity.com | gpg key | aim – wesleymcgrew | twitter – mcgrewsecurity | McGrew Security Blog « GE Fanuc releases info on iFIX vulnerabilities VU# 310355 [...]
[...] Wesley McGrew has published information on the GE iFix vuln and fix. [...]