EXPLOITED: GE Proficy Historian

January 18, 2023

Story

Historian servers accumulate real-time data from devices like industrial control systems using SCADA protocols such as OPC-DA or OPC-UA, timestamp it, and distribute it in support of various operational processes and procedures. They also usually include and/or operate as access control mechanisms. The data they store and transmit can be accessed by users via APIs.

(Credit: Claroty- Historian servers sit within the DMZ and operations manufacturing zones of the Purdue Model. Historians have reach into the enterprise and OT networks from this position.)

Historian servers like the GE Proficy Historian are a favorite target of hackers looking to gather intelligence about industrial processes, use access for financial gain, manipulate automation processes by changing or deleting data to disrupt operations, damaging equipment or endangering operators, and/or exploiting pivot points on the OT network.

(Credit: Claroty)

Team 82 investigated the GE Proficy Historian by reverse engineering its protocols, which revealed its authentication processes and subsequently allowed the team to access the environment. This access was gained through various authentication bypasses, file manipulation, and remote code execution bugs that exposed a test pharmaceutical network where they were able to modify records.

Team 82 built a functioning shell command line interface (CLI) that supports commands such as:

• Bypass authentication
• Upload an arbitrary file
• Read an arbitrary file
• Delete an arbitrary file
• Execute code remotely

(Credit: Claroty- RCE with authentication bypass proof-of-concept in action)

After commandeering the GE Proficy Historian’s MSO protocol – which binds all the system’s interfaces and listens to TCP ports (13000 to 14000) – and using it as a highway for malicious attacks over which they could control the system remotely via the CLI, they proceeded to execute a range of unverified remote commands. These included:

• FileAppendNextChunk (0x8D): Enables an attacker to append / write files with full control over the path and content of the file.
• FileGetNextChunk (0x8C): Enables an attacker to read any file on the system exposing sensitive information.
• DeleteTempFile (0x8E): Enables an attacker to delete any file on the system.

From end to end, Team 82’s Complete Procedure consisted of:

• Bypassing authentication with one of the methods explained above.
• Using the DeleteTempFile command to delete ihOAuth2.dll from the Historian installation directory located under program files.
• Using the FileAppendNextChunk command to write a malicious DLL with our own code and upload it to the Historian installation directory with the name ihOAuth2.dll
• Sending a new Login message to trigger the loading of the malicious dll
• Code execution

Since the white hats completed their work, GE has improved its historian server to counter the found disclosures in the  GE Proficy Historian 2023, which are listed below.

CVE Information

• CVE-2022-46732
  • CWE-288: Authentication bypass using an alternate path or channel
  • CVSS v3: 9.8
  • Even if the authentication fails for local service authentication, the requested command could still execute regardless of authentication status.
• CVE-2022-46660
  • CWE-434: Unrestricted upload of file with dangerous type
  • CVSS v3: 7.5
  • An unauthorized user could alter or write files with full control over the path and content of the file.
• CVE-2022-43494
  • CWE-284: Improper access control
  • CVSS v3: 7.5
  • An unauthorized user could be able to read any file on the system, potentially exposing sensitive information.
• CVE-2022-46331
  • CWE-284: Improper access control
  • CVSS v3: 7.5
  • An unauthorized user could possibly delete any file on the system.
• CVE-2022-38469
  • CWE-261: Weak encoding for password
  • CVSS v3: 7.5
  • An unauthorized user with network access and the decryption key could decrypt sensitive data, such as usernames and passwords.