CVE-2014-0751
published 2014-01-25CVE-2014-0751: The CIMPLICITY Web-based access component, CimWebServer, does not check the location of shell files being loaded into the system. By modifying the source…
PriorityP274high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWVulnCheck KEV
Exploited in the wild
EPSS
3.06%
86.0th percentile
The CIMPLICITY Web-based access component, CimWebServer, does not check
the location of shell files being loaded into the system. By modifying
the source location, an attacker could send shell code to the
CimWebServer which would deploy the nefarious files as part of any SCADA
project. This could allow the attacker to execute arbitrary code.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ge | intelligent_platforms_proficy_hmi_2fscada_cimplicity | <= 8.2 | — |
| ge | intelligent_platforms_proficy_hmi_scada_cimplicity | — | — |
| ge | intelligent_platforms_proficy_hmi_scada_cimplicity | — | — |
| ge | intelligent_platforms_proficy_hmi_scada_cimplicity | — | — |
| ge | intelligent_platforms_proficy_hmi_scada_cimplicity | — | — |
| ge | intelligent_platforms_proficy_hmi_scada_cimplicity | — | — |
| ge | proficy_hmi_scada_cimplicity | >= 4.01 < 8.2 | 8.2 |
| ge | proficy_process_systems_with_cimplicity | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for gefebt.exe being accessed or executed from non-standard or remote locations, as exploitation involves loading shell files from attacker-controlled source locations rather than the default local directory. ↗
- →Detect path traversal attempts in HTTP requests directed at CimWebServer, particularly requests that reference shell file locations outside the default local directory. ↗
- →Alert on presence or execution of gefebt.exe accessible from a web client context; GE's own mitigation requires deleting or moving all copies of gefebt.exe accessible from a web client. ↗
- ·Affected versions span a wide range: Proficy HMI/SCADA - CIMPLICITY versions 4.01 through 8.2. Detection rules should account for all versions in this range. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5q8q-px6g-7r9f: Directory traversal vulnerability in CimWebServer
ghsa_unreviewed·2022-05-17
CVE-2014-0751 [HIGH] CWE-22 GHSA-5q8q-px6g-7r9f: Directory traversal vulnerability in CimWebServer
Directory traversal vulnerability in CimWebServer.exe (aka the WebView component) in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY before 8.2 SIM 24, and Proficy Process Systems with CIMPLICITY, allows remote attackers to execute arbitrary code via a crafted message to TCP port 10212, aka ZDI-CAN-1623.
VulnCheck
GE CIMPLICITY Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2014·CVSS 6.8
CVE-2014-0751 [MEDIUM] GE CIMPLICITY Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
GE CIMPLICITY Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The CIMPLICITY Web-based access component, CimWebServer, does not check
the location of shell files being loaded into the system. By modifying
the source location, an attacker could send shell code to the
CimWebServer which would deploy the nefarious files as part of any SCADA
project. This could allow the attacker to execute arbitrary code.
Affected: GE CIMPLICITY
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-14-281-01B; https://cisa.gov/news-events/ics-alerts/ics-alert-14-281-01a; https://cisa.gov/news-events/ics-a
CISA ICS
GE Proficy Vulnerabilities
cisa_ics·2018-09-06
GE Proficy Vulnerabilities
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
GE Proficy Vulnerabilities
Last RevisedSeptember 06, 2018
Alert CodeICSA-14-023-01
## OVERVIEW
Researchers amisto0x07 and Z0mb1E of Zero Day Initiative (ZDI) have identified two vulnerabilities in the General Electric (GE) Proficy human-machine interface/supervisory control and data acquisition (HMI/SCADA) - CIMPLICITY application. GE has released security advisories, GEIP13-05 and GEIP13-06, to inform customers about these vulnerabilities.
These vulnerabilities could be exploited remotely.
## AFFECTED PRODUCTS
The following GE Intelligent Platforms products are affected:
-
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2013-1557 OpenJDK: LogStream.setDefaultStream() missing security restrictions (RMI, 8001329)
bugzilla·2013-04-16·CVSS 10.0
CVE-2013-1557 [CRITICAL] CVE-2013-1557 OpenJDK: LogStream.setDefaultStream() missing security restrictions (RMI, 8001329)
CVE-2013-1557 OpenJDK: LogStream.setDefaultStream() missing security restrictions (RMI, 8001329)
It was discovered that LogStream.setDefaultStream() is missing security restrictions. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions.
Discussion:
Public now via Oracle Java SE CPU April 2014:
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
Fixed in Oracle Java SE 7u21 and 6u45.
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2013:0752 https://rhn.redhat.com/errata/RHSA-2013-0752.html
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2013:0751 https://rhn.redhat.com/errata/RHSA-2013-0751.html
---
OpenJDK7 up
Bugzilla
CVE-2013-2436 OpenJDK: Wrapper.convert insufficient type checks (Libraries, 8009049)
bugzilla·2013-04-16·CVSS 9.3
CVE-2013-2436 [CRITICAL] CVE-2013-2436 OpenJDK: Wrapper.convert insufficient type checks (Libraries, 8009049)
CVE-2013-2436 OpenJDK: Wrapper.convert insufficient type checks (Libraries, 8009049)
It was discovered that the sun.util.invoke.Wrapper did not perform type checks correctly when converting wrapped values. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions.
Discussion:
Public now via Oracle Java SE CPU April 2014:
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
Fixed in 7u21.
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2013:0752 https://rhn.redhat.com/errata/RHSA-2013-0752.html
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2013:0751 https://rhn.redhat.com/errata/RHSA-2013-0751.html
---
OpenJDK7 ups
Bugzilla
CVE-2013-1558 OpenJDK: java.beans.ThreadGroupContext missing restrictions (Beans, 7200507)
bugzilla·2013-04-16·CVSS 10.0
CVE-2013-1558 [CRITICAL] CVE-2013-1558 OpenJDK: java.beans.ThreadGroupContext missing restrictions (Beans, 7200507)
CVE-2013-1558 OpenJDK: java.beans.ThreadGroupContext missing restrictions (Beans, 7200507)
It was discovered that the java.beans.ThreadGroupContext did not properly restrict access to the contexts field. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions.
Discussion:
Public now via Oracle Java SE CPU April 2014:
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
Fixed in 7u21 and 6u45.
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2013:0752 https://rhn.redhat.com/errata/RHSA-2013-0752.html
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2013:0751 https://rhn.redhat.com/errata/RHSA-2013-0751.html
---
OpenJ
Bugzilla
CVE-2013-2429 OpenJDK: JPEGImageWriter state corruption (ImageIO, 8007918)
bugzilla·2013-04-16·CVSS 7.6
CVE-2013-2429 [HIGH] CVE-2013-2429 OpenJDK: JPEGImageWriter state corruption (ImageIO, 8007918)
CVE-2013-2429 OpenJDK: JPEGImageWriter state corruption (ImageIO, 8007918)
It was discovered that JPEGImageWriter did not protect against modification of its state while performing certain native code operations. An untrusted Java application or applet could possibly use this flaw to trigger JVM memory corruption.
Discussion:
Public now via Oracle Java SE CPU April 2014:
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
Fixed in Oracle Java SE 7u21 and 6u45.
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2013:0752 https://rhn.redhat.com/errata/RHSA-2013-0752.html
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2013:0751 https://rhn.redhat.com/errata/RHSA-2013-
Bugzilla
CVE-2013-2420 OpenJDK: image processing vulnerability (2D, 8007617)
bugzilla·2013-04-16·CVSS 10.0
CVE-2013-2420 [CRITICAL] CVE-2013-2420 OpenJDK: image processing vulnerability (2D, 8007617)
CVE-2013-2420 OpenJDK: image processing vulnerability (2D, 8007617)
It was discovered that the 2D component did not properly process certain images. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions.
Discussion:
Public now via Oracle Java SE CPU April 2014:
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
Fixed in 7u21 and 6u45.
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2013:0752 https://rhn.redhat.com/errata/RHSA-2013-0752.html
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2013:0751 https://rhn.redhat.com/errata/RHSA-2013-0751.html
---
OpenJDK7 upstream repositories commit:
http://hg.openjdk.ja
Bugzilla
CVE-2013-2431 OpenJDK: Hotspot intrinsic frames vulnerability (Hotspot, 8004336)
bugzilla·2013-04-16·CVSS 10.0
CVE-2013-2431 [CRITICAL] CVE-2013-2431 OpenJDK: Hotspot intrinsic frames vulnerability (Hotspot, 8004336)
CVE-2013-2431 OpenJDK: Hotspot intrinsic frames vulnerability (Hotspot, 8004336)
It was discovered that the Hotspot component did not properly handle certain intrinsic frames. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions.
Discussion:
Public now via Oracle Java SE CPU April 2014:
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
Fixed in Oracle Java SE 7u21.
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2013:0752 https://rhn.redhat.com/errata/RHSA-2013-0752.html
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2013:0751 https://rhn.redhat.com/errata/RHSA-2013-0751.html
---
OpenJDK7 upstream repositor
Bugzilla
CVE-2013-2426 OpenJDK: ConcurrentHashMap incorrectly calls defaultReadObject() method (Libraries, 8009063)
bugzilla·2013-04-16·CVSS 9.3
CVE-2013-2426 [CRITICAL] CVE-2013-2426 OpenJDK: ConcurrentHashMap incorrectly calls defaultReadObject() method (Libraries, 8009063)
CVE-2013-2426 OpenJDK: ConcurrentHashMap incorrectly calls defaultReadObject() method (Libraries, 8009063)
It was discovered that the ConcurrentHashMap class incorrectly calls the defaultReadObject() method. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions.
Discussion:
Public now via Oracle Java SE CPU April 2014:
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
Fixed in Oracle Java SE 7u21.
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2013:0752 https://rhn.redhat.com/errata/RHSA-2013-0752.html
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2013:0751 https://rhn.redhat.com/errata/RHSA-2013-0751.html
Bugzilla
CVE-2013-2415 OpenJDK: temporary files created with insecure permissions (JAX-WS, 8003542)
bugzilla·2013-04-15·CVSS 2.1
CVE-2013-2415 [LOW] CVE-2013-2415 OpenJDK: temporary files created with insecure permissions (JAX-WS, 8003542)
CVE-2013-2415 OpenJDK: temporary files created with insecure permissions (JAX-WS, 8003542)
It was discovered that JAX-WS could possibly create temporary files with insecure permissions. A local attacker could use this flaw to access temporary files created by an application using JAX-WS.
Discussion:
Public now via Oracle Java SE CPU April 2014:
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
Fixed in Oracle Java SE 7u21.
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2013:0752 https://rhn.redhat.com/errata/RHSA-2013-0752.html
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2013:0751 https://rhn.redhat.com/errata/RHSA-2013-0751.html
---
OpenJDK7 upstream re
Bugzilla
CVE-2013-2423 OpenJDK: incorrect setter access checks in MethodHandles (Hostspot, 8009677)
bugzilla·2013-04-15·CVSS 3.7
CVE-2013-2423 [LOW] CVE-2013-2423 OpenJDK: incorrect setter access checks in MethodHandles (Hostspot, 8009677)
CVE-2013-2423 OpenJDK: incorrect setter access checks in MethodHandles (Hostspot, 8009677)
java.lang.invoke.MethodHandles did not perform access checks correctly. An untrusted Java application or applet could use this to set value of a final field.
Discussion:
Public now via Oracle Java SE CPU April 2014:
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
Fixed in Oracle Java SE 7u21.
---
OpenJDK7 upstream repositories commit:
http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2013:0752 https://rhn.redhat.com/errata/RHSA-2013-0752.html
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2013:0751 https:
http://support.ge-ip.com/support/index?page=kbchannel&id=KB15939http://www.securityfocus.com/bid/65124https://www.cisa.gov/news-events/ics-advisories/icsa-14-023-01http://ics-cert.us-cert.gov/advisories/ICSA-14-023-01http://support.ge-ip.com/support/index?page=kbchannel&id=KB15940http://www.securityfocus.com/bid/65117
2014-01-25
Published
Exploited in the wild