SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   iFIX Vendors:   GE Fanuc
GE Fanuc iFIX Discloses Passwords to Local Users and to Remote Users Monitoring the Network
SecurityTracker Alert ID:  1021733
SecurityTracker URL:  http://securitytracker.com/id/1021733
CVE Reference:   CVE-2009-0216   (Links to External Site)
Date:  Feb 17 2009
Impact:   Disclosure of authentication information
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.0, 2.2, 2.21, 2.5, 2.6, 3.0, 3.5, 4.0, 4.5, and 5.0
Description:   A vulnerability was reported in iFIX. A local user can obtain passwords. A remote user monitoring the network can obtain passwords.

The client software stores the target user's password in clear text in a file on the target user's system. A local user can access the file to obtain the password.

To authenticate to the SCADA system, the client software sends the target user's password over the network without encryption. A remote user monitoring the network can obtain the password and then login to the SCADA system.

Rayford Vaughn and Robert Wesley McGrew at Mississippi State University reported this vulnerability.

The original advisory is available at:

http://www.mcgrewsecurity.com/2009/02/10/ge-fanuc-releases-info-on-ifix-vulnerabilities-vu-310355/

Impact:   A local user can obtain passwords.

A remote user monitoring the network can obtain passwords.

Solution:   The vendor has described a workaround in their advisory.

The vendor's advisory is available at:

http://support.gefanuc.com/support/index?page=kbchannel&id=S:KB13253

Vendor URL:  support.gefanuc.com/support/index?page=kbchannel&id=S:KB13253 (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC