Team82 Logo Claroty Logo

Team82 Research

Hacking ICS Historians: The Pivot Point from IT to OT

Uri Katz
/ January 17th, 2023

Executive Summary

  • Team82 has researched the GE Proficy Historian, an industry-leading historian server, uncovering five exploitable vulnerabilities

  • The vulnerabilities can be used in order to access the historian, crash the device, or remotely execute code

  • One of the five vulnerabilities has a CVSS v3 score of 9.8 and the four others have a CVSS v3 score of 7.5

  • GE Proficy Historian v7.0 and higher versions are affected

  • Historian servers share process information with enterprise systems, creating an attractive pivot point for attackers to move from the IT network to OT systems

  • GE Proficy Historian 2023 mitigates issues and SIMs have been provided for all affected versions and users are urged to ensure their systems are up to date.

  • ICS-CERT's security advisory may be found here.

Introduction

Historian servers have a long reach within enterprise networks. These critical databases not only store data collected from industrial control systems, but they also extend to the corporate network by sharing information with enterprise resource planning systems and analytics platforms. When security researchers—and attackers—talk about crossing over from enterprise systems to operational technology networks, historian servers are often a bridge they navigate. 

To better understand this enhanced attack surface, Team82 researched GE’s Proficy Historian, a leading historian server that collects, stores, and distributes time-series and engineering data. Industrial automation operations generate important data about the health of assets and processes, and historian servers play a considerable role in processing and analyzing that information on-premises or in the cloud in order to understand and improve process efficiency. 

For a determined attacker, information such as process control, performance, and maintenance data has considerable value. Attackers would target historian servers in order to: 

  • Gather intelligence about industrial processes

  • Use their access for financial gain. 

  • Manipulate an automation process by changing or deleting data in order to disrupt operations. 

  • Damage equipment or endanger operators. 

  • Exploit the pivot point to the OT network. 

Our work uncovered five vulnerabilities—including authentication bypasses, file manipulation, and remote code execution bugs—that allowed us to access a test pharmaceutical network in our lab and modify records. This blog will focus on two vulnerabilities Team82 was able to chain in order to gain pre-authentication remote code execution on the GE Proficy Historian.

GE has patched the vulnerabilities in Proficy Historian 2023 and all affected versions, negating the impact of our proof-of-concept exploits. Users are urged to ensure their affected Proficy Historian servers are updated and not exposed to remote attacks.

What is an ICS Historian?

For four decades, historians have supported process enhancements within plants by collecting volumes of real-time data, time-stamping it, and distributing it for analysis in order to better understand anything from system performance to areas of possible improvement. 

Given the precision required within industrial automation settings, understanding time-series data is critical in order to optimize processes, improve power usage, or even serve as the backbone for predictive analytics. An article written by automation expert Bill Lydon of InTech magazine explains a number of applicable use cases for historian servers

From a technical standpoint, an historian is a centralized database located in the control system local area network. Historians handle data archiving and also correlate data using statistical process control techniques. For example, an historian server in a pharmaceutical manufacturing factory would keep important information about the batch production operation including the temperature of substances at any given point in time, PH levels, etc.

ICS historians typically work by collecting data from various sources within an industrial control system, such as control devices, sensors, and programmable logic controllers (PLCs). The collected data is usually done via SCADA-specific protocols or OPC DA / OPC UA which simplifies the data collection process. The data is then stored in a database and made available through a user interface or API.

Historian servers sit within the DMZ and operations manufacturing zones of the Purdue Model. Historians have reach into the enterprise and OT networks from this position.

In addition to process links through a network of sensors, control devices, and PLCs, historians may also be connected to other systems, such as enterprise resource planning (ERP) systems and analytics platforms, to allow for more comprehensive data analysis and decision-making. Therefore, due to its unique position in between the IT and OT networks, attackers are targeting the historian, and could use it as a pivot point into the OT network.

Historians could be targeted by attackers for a variety of reasons. One main reason is that historians often contain valuable data about industrial processes, including data about process control, performance, and maintenance. Attackers may target ICS historians, below, in order to gain access to this data, either for financial gain or for the purpose of gathering intelligence about an industrial process.

Another reason attackers may target ICS historians is that they can be used to disrupt or manipulate industrial processes. For example, an attacker who gains access to an ICS historian may be able to change or delete data, or manipulate the data in some other way, in order to disrupt the operation of an industrial process. This could have serious consequences, such as disrupting the production of goods, causing safety hazards, or damaging equipment.

ICS historians may also be targeted as part of a larger cyberattack on an industrial control system. In this case, the attacker may use the ICS historian as a stepping stone to gain access to other parts of the network, or to exfiltrate data from the system.

Understanding the GE Proficy Historian

To better understand an historian’s attack surface, we researched the GE Proficy Historian application. Our goal was to take full control of the historian server in order to modify history records in an imaginary pharmaceutical factory. 

Our first step was to install the server and understand its inner workings, then reverse-engineer its governing protocols, and understand how its authentication mechanism works. We then hunted for vulnerabilities and wrote our client in order to exploit them remotely and execute unauthorized code on the server. Finally, once we had a reverse shell on the server, we were able to modify the records.

MSO Protocol

The GE Proficy Historian uses the MSO protocol as its main communication protocol for most of its actions, including authentication, control, and data acquisition. The Proficy Historian has a few services that communicate using this protocol, all of which  bind to all interfaces (0.0.0.0) and listen on various TCP ports between 13000-14000.

GE Proficy Historian services.

Every MSO message starts with a message header, then a body header and ends with the  body content. Our research on the protocol structure allowed us to build a fully functional MSO client using these structures:

Message header for a MSO message.

The request body also starts with a header followed by the message body. The request body is an array of “HRProp” structures containing a specific property type to its value.

An example of a GE Proficy MSO protocol packet in Wireshark.

The protocol has around 170 command types that perform a wide range of actions. Since most of the functions require authentication out research goals were:

  1. Find an authentication bypass that will allow us to run any one of the 170 commands on the historian server

  2. Go through the commands and search for primitives that can lead to remote code execution. 

In our research, we found a way to bypass this authentication procedure. This allows remote attackers the ability to log in to any GE Proficy Historian server and force it to perform unauthorized actions. 

Furthermore, we found that among the various commands defined in the protocol, some of them have improper access control mechanisms that allow remote clients to perform dangerous actions such as reading and writing arbitrary files, deleting arbitrary files and even executing code remotely when chained together. The remainder of this blog explains how we chained two of the vulnerabilities to do exactly that. 

Authentication Bypass (CVE-2022-46732)

GE Proficy Historian runs different services, each responsible for part of the historian logic. These services can be run locally (on the same machine as the main historian service), or remotely (on another machine). This was interesting to us because the services use the MSO protocol the same way a regular remote user does, but without any apparent authentication.

After decoding a login message sent by one of the services, we discovered that the difference between a regular login and the login which a service performs is in one of the HRProps: the HRPropServiceType. We tried sending our own message setting the service type to one of the services and were able to log in. When setting the service type to one of the services, the historian server does not check the authentication and therefore executes the requested command regardless of authentication status.

We can see that there is a difference in the code flow when the server recognizes a local service. By sending a specifically crafted request, an attacker can impersonate a local service and bypass authentication.

An attacker can take advantage of this fact and bypass the historian authentication by impersonating a local service. This means that by using a remote MSO client and changing the HRPropServiceType to one of the local services, the attacker can bypass the authentication procedure and execute MSO commands remotely even if the authentication flow fails. Thus, any user can remotely execute MSO API commands on the Historian server without the need to authenticate with correct credentials.

Remote Code Execution (CVE-2022-46660)

Historian services use the MSO protocol to read, write, and manage historian data. We found that some protocol commands, below, could also be used for malicious control. The purpose of these commands is to allow a service to perform actions, but without validating the scope of the commands. Without a proper access control (authorization) mechanism, they can be abused. Since the historian service is running as a SYSTEM user, all the actions are executed with the highest privileges.

  • FileAppendNextChunk (0x8D): enables an attacker to append / write files with full control over the path and content of the file. 

  • FileGetNextChunk (0x8C): enables an attacker to read any file on the system exposing sensitive information.

  • DeleteTempFile (0x8E): enables an attacker to delete any file on the system.

Read/delete/write operations combined with the authentication bypass essentially give unauthenticated attackers full file read/write/delete privileges. Attackers can use these primitives to delete and replace one of the dynamic link libraries (DLL) the historian uses to get full remote code execution.

Team82’s Exploit

Chaining the vulnerabilities mentioned above, we can execute arbitrary code on a remote GE Proficy Historian server with SYSTEM privileges. Furthermore, we were able to build a fully functional shell command line interface (CLI) that supports several commands:

  • Bypass authentication

  • Upload an arbitrary file

  • Read an arbitrary file

  • Delete an arbitrary file

  • Execute code remotely

This is our RCE with authentication bypass proof-of-concept in action

To execute code remotely, including bypassing authentication, we have chained some of the reported vulnerabilities together. This is the complete flow to execute code:

  1. Bypass authentication with one of the methods explained above.

  2. Using the DeleteTempFile command to delete ihOAuth2.dll from the Historian installation directory located under program files.

  3. Using the FileAppendNextChunk command to write a malicious DLL with our own code. We will upload it to the Historian installation directory with the name ihOAuth2.dll

  4. Send a new Login message to trigger the loading of the malicious dll

  5. Our code will get executed.

Summary

Team82 privately reported five vulnerabilities in GE Proficy Historian which have a cumulative CVSS v3 severity score of 9.8. The flaws can enable an attacker to access a GE Proficy Historian server, modify files, disrupt processes, and crash machines. 

Historian servers are in a prime network position as they share process and analytical data with both OT and IT networks, and are a critical pivot point for attackers between the two. 

GE said GE Proficy Historian v8.0.1598.0 is affected, and that it has mitigated all of the vulnerabilities in the recently released GE Proficy Historian 2023. Users are urged to upgrade in order to be protected. 

CVE Information

CVE-2022-46732

CWE-288: Authentication bypass using an alternate path or channel

CVSS v3: 9.8

Even if the authentication fails for local service authentication, the requested command could still execute regardless of authentication status.

CVE-2022-46660

CWE-434: Unrestricted upload of file with dangerous type

CVSS v3: 7.5

An unauthorized user could alter or write files with full control over the path and content of the file. 

CVE-2022-43494

CWE-284: Improper access control

CVSS v3: 7.5

An unauthorized user could be able to read any file on the system, potentially exposing sensitive information. 

CVE-2022-46331

CWE-284: Improper access control

CVSS v3: 7.5

An unauthorized user could possibly delete any file on the system.

CVE-2022-38469

CWE-261: Weak encoding for password

CVSS v3: 7.5

An unauthorized user with network access and the decryption key could decrypt sensitive data, such as usernames and passwords.

Acknowledgement

Team82 would like to thank GE for its cooperation during this coordinated disclosure, and for its rapid response to these issues.


Share:
Share:

Recent Vulnerability Disclosures

Claroty Logo
LinkedIn Twitter YouTube Facebook