ICSA-22-053-01 GE Proficy CIMPLICITY-IPM

Vulnerability

The vulnerability is an improper privilege management issue (CWE-269) in GE Proficy CIMPLICITY versions v11.1 and prior [1]. Exploitation requires the attacker to have login access to a machine actively running CIMPLICITY, the server must not already be running a project, and the server must be licensed for multiple projects [1].

Exploitation

An attacker with local login access to the machine can exploit the vulnerability by leveraging the improper privilege management to escalate privileges and execute arbitrary code [1]. The attacker must meet the specific conditions of no active project and a multi-project license [1].

Impact

Successful exploitation results in local privilege escalation and code execution, potentially compromising confidentiality, integrity, and availability of the system. The CVSS v3 base score is 7.5, indicating high impact [1].

Mitigation

GE Digital recommends upgrading to the latest version of Proficy CIMPLICITY released in January 2022 [1]. Users should also follow the Secure Deployment Guide to restrict which projects are allowed to run and ensure proper access controls on CIMPLICITY machines and directories [1].