Team82 Research
Team82 has researched the GE Proficy Historian, an industry-leading historian server, uncovering five exploitable vulnerabilities
The vulnerabilities can be used in order to access the historian, crash the device, or remotely execute code
One of the five vulnerabilities has a CVSS v3 score of 9.8 and the four others have a CVSS v3 score of 7.5
GE Proficy Historian v7.0 and higher versions are affected
Historian servers share process information with enterprise systems, creating an attractive pivot point for attackers to move from the IT network to OT systems
GE Proficy Historian 2023 mitigates issues and SIMs have been provided for all affected versions and users are urged to ensure their systems are up to date.
Historian servers have a long reach within enterprise networks. These critical databases not only store data collected from industrial control systems, but they also extend to the corporate network by sharing information with enterprise resource planning systems and analytics platforms. When security researchers—and attackers—talk about crossing over from enterprise systems to operational technology networks, historian servers are often a bridge they navigate.
To better understand this enhanced attack surface, Team82 researched GE’s Proficy Historian, a leading historian server that collects, stores, and distributes time-series and engineering data. Industrial automation operations generate important data about the health of assets and processes, and historian servers play a considerable role in processing and analyzing that information on-premises or in the cloud in order to understand and improve process efficiency.
For a determined attacker, information such as process control, performance, and maintenance data has considerable value. Attackers would target historian servers in order to:
Gather intelligence about industrial processes
Use their access for financial gain.
Manipulate an automation process by changing or deleting data in order to disrupt operations.
Damage equipment or endanger operators.
Exploit the pivot point to the OT network.
Our work uncovered five vulnerabilities—including authentication bypasses, file manipulation, and remote code execution bugs—that allowed us to access a test pharmaceutical network in our lab and modify records. This blog will focus on two vulnerabilities Team82 was able to chain in order to gain pre-authentication remote code execution on the GE Proficy Historian.
GE has patched the vulnerabilities in Proficy Historian 2023 and all affected versions, negating the impact of our proof-of-concept exploits. Users are urged to ensure their affected Proficy Historian servers are updated and not exposed to remote attacks.
For four decades, historians have supported process enhancements within plants by collecting volumes of real-time data, time-stamping it, and distributing it for analysis in order to better understand anything from system performance to areas of possible improvement.
Given the precision required within industrial automation settings, understanding time-series data is critical in order to optimize processes, improve power usage, or even serve as the backbone for predictive analytics. An article written by automation expert Bill Lydon of InTech magazine explains a number of applicable use cases for historian servers.
From a technical standpoint, an historian is a centralized database located in the control system local area network. Historians handle data archiving and also correlate data using statistical process control techniques. For example, an historian server in a pharmaceutical manufacturing factory would keep important information about the batch production operation including the temperature of substances at any given point in time, PH levels, etc.
ICS historians typically work by collecting data from various sources within an industrial control system, such as control devices, sensors, and programmable logic controllers (PLCs). The collected data is usually done via SCADA-specific protocols or OPC DA / OPC UA which simplifies the data collection process. The data is then stored in a database and made available through a user interface or API.
In addition to process links through a network of sensors, control devices, and PLCs, historians may also be connected to other systems, such as enterprise resource planning (ERP) systems and analytics platforms, to allow for more comprehensive data analysis and decision-making. Therefore, due to its unique position in between the IT and OT networks, attackers are targeting the historian, and could use it as a pivot point into the OT network.
Historians could be targeted by attackers for a variety of reasons. One main reason is that historians often contain valuable data about industrial processes, including data about process control, performance, and maintenance. Attackers may target ICS historians, below, in order to gain access to this data, either for financial gain or for the purpose of gathering intelligence about an industrial process.
Another reason attackers may target ICS historians is that they can be used to disrupt or manipulate industrial processes. For example, an attacker who gains access to an ICS historian may be able to change or delete data, or manipulate the data in some other way, in order to disrupt the operation of an industrial process. This could have serious consequences, such as disrupting the production of goods, causing safety hazards, or damaging equipment.
ICS historians may also be targeted as part of a larger cyberattack on an industrial control system. In this case, the attacker may use the ICS historian as a stepping stone to gain access to other parts of the network, or to exfiltrate data from the system.
To better understand an historian’s attack surface, we researched the GE Proficy Historian application. Our goal was to take full control of the historian server in order to modify history records in an imaginary pharmaceutical factory.
Our first step was to install the server and understand its inner workings, then reverse-engineer its governing protocols, and understand how its authentication mechanism works. We then hunted for vulnerabilities and wrote our client in order to exploit them remotely and execute unauthorized code on the server. Finally, once we had a reverse shell on the server, we were able to modify the records.
The GE Proficy Historian uses the MSO protocol as its main communication protocol for most of its actions, including authentication, control, and data acquisition. The Proficy Historian has a few services that communicate using this protocol, all of which bind to all interfaces (0.0.0.0) and listen on various TCP ports between 13000-14000.
Every MSO message starts with a message header, then a body header and ends with the body content. Our research on the protocol structure allowed us to build a fully functional MSO client using these structures:
The request body also starts with a header followed by the message body. The request body is an array of “HRProp” structures containing a specific property type to its value.
The protocol has around 170 command types that perform a wide range of actions. Since most of the functions require authentication out research goals were:
Find an authentication bypass that will allow us to run any one of the 170 commands on the historian server
Go through the commands and search for primitives that can lead to remote code execution.
In our research, we found a way to bypass this authentication procedure. This allows remote attackers the ability to log in to any GE Proficy Historian server and force it to perform unauthorized actions.
Furthermore, we found that among the various commands defined in the protocol, some of them have improper access control mechanisms that allow remote clients to perform dangerous actions such as reading and writing arbitrary files, deleting arbitrary files and even executing code remotely when chained together. The remainder of this blog explains how we chained two of the vulnerabilities to do exactly that.
GE Proficy Historian runs different services, each responsible for part of the historian logic. These services can be run locally (on the same machine as the main historian service), or remotely (on another machine). This was interesting to us because the services use the MSO protocol the same way a regular remote user does, but without any apparent authentication.
After decoding a login message sent by one of the services, we discovered that the difference between a regular login and the login which a service performs is in one of the HRProps: the HRPropServiceType. We tried sending our own message setting the service type to one of the services and were able to log in. When setting the service type to one of the services, the historian server does not check the authentication and therefore executes the requested command regardless of authentication status.
An attacker can take advantage of this fact and bypass the historian authentication by impersonating a local service. This means that by using a remote MSO client and changing the HRPropServiceType to one of the local services, the attacker can bypass the authentication procedure and execute MSO commands remotely even if the authentication flow fails. Thus, any user can remotely execute MSO API commands on the Historian server without the need to authenticate with correct credentials.
Historian services use the MSO protocol to read, write, and manage historian data. We found that some protocol commands, below, could also be used for malicious control. The purpose of these commands is to allow a service to perform actions, but without validating the scope of the commands. Without a proper access control (authorization) mechanism, they can be abused. Since the historian service is running as a SYSTEM user, all the actions are executed with the highest privileges.
FileAppendNextChunk (0x8D): enables an attacker to append / write files with full control over the path and content of the file.
FileGetNextChunk (0x8C): enables an attacker to read any file on the system exposing sensitive information.
DeleteTempFile (0x8E): enables an attacker to delete any file on the system.
Read/delete/write operations combined with the authentication bypass essentially give unauthenticated attackers full file read/write/delete privileges. Attackers can use these primitives to delete and replace one of the dynamic link libraries (DLL) the historian uses to get full remote code execution.
Chaining the vulnerabilities mentioned above, we can execute arbitrary code on a remote GE Proficy Historian server with SYSTEM privileges. Furthermore, we were able to build a fully functional shell command line interface (CLI) that supports several commands:
Bypass authentication
Upload an arbitrary file
Read an arbitrary file
Delete an arbitrary file
Execute code remotely
To execute code remotely, including bypassing authentication, we have chained some of the reported vulnerabilities together. This is the complete flow to execute code:
Bypass authentication with one of the methods explained above.
Using the DeleteTempFile command to delete ihOAuth2.dll from the Historian installation directory located under program files.
Using the FileAppendNextChunk command to write a malicious DLL with our own code. We will upload it to the Historian installation directory with the name ihOAuth2.dll
Send a new Login message to trigger the loading of the malicious dll
Our code will get executed.
Team82 privately reported five vulnerabilities in GE Proficy Historian which have a cumulative CVSS v3 severity score of 9.8. The flaws can enable an attacker to access a GE Proficy Historian server, modify files, disrupt processes, and crash machines.
Historian servers are in a prime network position as they share process and analytical data with both OT and IT networks, and are a critical pivot point for attackers between the two.
GE said GE Proficy Historian v8.0.1598.0 is affected, and that it has mitigated all of the vulnerabilities in the recently released GE Proficy Historian 2023. Users are urged to upgrade in order to be protected.
CWE-288: Authentication bypass using an alternate path or channel
CVSS v3: 9.8
Even if the authentication fails for local service authentication, the requested command could still execute regardless of authentication status.
CWE-434: Unrestricted upload of file with dangerous type
CVSS v3: 7.5
An unauthorized user could alter or write files with full control over the path and content of the file.
CWE-284: Improper access control
CVSS v3: 7.5
An unauthorized user could be able to read any file on the system, potentially exposing sensitive information.
CWE-284: Improper access control
CVSS v3: 7.5
An unauthorized user could possibly delete any file on the system.
CWE-261: Weak encoding for password
CVSS v3: 7.5
An unauthorized user with network access and the decryption key could decrypt sensitive data, such as usernames and passwords.
Team82 would like to thank GE for its cooperation during this coordinated disclosure, and for its rapid response to these issues.
CWE-284 IMPROPER ACCESS CONTROL:
The entire parent directory - C:\ScadaPro and its sub-directories and files are configured by default to allow users, including unprivileged users, to write or overwrite files.
Measuresoft recommends that users manually reconfigure the vulnerable directories so that they are not writable by everyone.
CVSS v3: 5.5
CWE-256: Plaintext Storage of a Password
In Automation-Direct C-MORE EA9 HMI credentials used by the platform are stored as plain text on the device.
AutomationDirect recommends that users update C-MORE EA9 HMI to V6.78
Affected versions:
CVSS v3: 6.5
CWE-121: Stack-based Buffer Overflow
In Automation-Direct C-MORE EA9 HMI there is a program that copies a buffer of a size controlled by the user into a limited sized buffer on the stack which leads to a stack overflow. The result of this stack-based buffer overflow will lead to a denial-of-service conditions.
AutomationDirect recommends that users update C-MORE EA9 HMI to V6.78
Affected versions:
CVSS v3: 4.3
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
There is a function in Automation-Direct C-MORE EA9 HMI that allows an attacker to send a relative path in the URL without proper sanitizing of the content.
AutomationDirect recommends that users update C-MORE EA9 HMI to V6.78
Affected versions:
CVSS v3: 7.5
CWE-319: CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION
The affected product is vulnerable to a cleartext transmission of sensitive information vulnerability, which may allow an attacker to capture packets to craft their own requests.
Softing edgeConnector: Version 3.60 and Softing edgeAggregator: Version 3.60 are affected. Update Softing edgeConnector and edgeAggregator to v3.70 or greater.
CVSS v3: 8.0
