Recently Patched GE Cimplicity Vulnerabilities Echo Russian ICS Attacks

July 19, 2023

GE has recently patched over a dozen vulnerabilities in its Cimplicity HMI/SCADA product that bear striking similarities to industrial control system (ICS) attacks executed by the infamous Russian hacker group, Sandworm.

The US Cybersecurity and Infrastructure Security Agency (CISA) released an advisory on Tuesday to inform users about the vulnerabilities discovered in GE’s Cimplicity HMI and SCADA product. This product is used by major organizations globally, including those in critical infrastructure sectors.

The CISA advisory details CVE-2023-3463, a series of flaws that can be exploited for arbitrary code execution. GE has provided a patch and emphasized that “Exploit is only possible if an authenticated user with local access to the system obtains and opens a document from a malicious source so secure deployment and strong access management by users is essential.”

The vulnerabilities were discovered by ICS cybersecurity researcher Michael Heinzl. He reported that there are 14 memory corruption vulnerabilities in total, including uninitialized pointer, out-of-bounds read, out-of-bounds write, use-after-free, and heap-based buffer overflow bugs. Heinzl reported his findings to the vendor through CISA in December 2022 and noted that it took GE a significant amount of time to patch these and other vulnerabilities.

Each vulnerability can be exploited for arbitrary code execution by tricking a legitimate user into opening a specially crafted .cim project file. The attack is effective in the product’s default configuration against all versions. The application’s installation folder contains a subfolder named ‘No_DEP’, which includes a copy of an affected application binary that has Data Execution Prevention (DEP) disabled. Exploitation is simpler against organizations that utilize this specific binary.

The latest GE Cimplicity vulnerabilities are reminiscent of attacks conducted a decade ago by the Russian state-sponsored hacker group Sandworm, notorious for its disruptive attacks on Ukraine’s energy sector. In 2014, Trend Micro reported that the Sandworm group had targeted organizations using the Cimplicity product, with the operation involving the use of .cim files as attack vectors. CISA issued a warning to organizations related to those attacks at the time. The agency’s analysis, updated as recently as 2021, showed that the attackers had exploited a Cimplicity vulnerability, tracked as CVE-2014-0751, to “have the HMI server execute a malicious .cim file [Cimplicity screen file] hosted on an attacker-controlled server”. The attackers used .cim files to deploy the BlackEnergy malware.

Latest News

• Critical Vulnerability in Citrix ADC and Gateway Exploited in Zero-Day Attacks
• CISA Directs Government Agencies to Address Windows and Office Zero-Days
• Critical Vulnerability in WordPress WooCommerce Payments Plugin Exploited by Hackers
• Critical Vulnerability in ColdFusion Addressed as Adobe Releases Another Key Patch
• Critical Vulnerability Detected in Cisco SD-WAN vManage Software