SB2023011813 - Multiple vulnerabilities in GE Digital Proficy Historian

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Authentication bypass using an alternate path or channel (CVE-ID: CVE-2022-46732)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to authentication bypass using an alternate path or channel. A remote attacker can bypass authentication for the target system.

2) Arbitrary file upload (CVE-ID: CVE-2022-46660)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to insufficient validation of file during file upload. A remote attacker can upload a malicious file and execute it on the server.

3) Improper access control (CVE-ID: CVE-2022-43494)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote attacker can bypass implemented security restrictions and gain unauthorized access to sensitive information on the system.

4) Improper access control (CVE-ID: CVE-2022-46331)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote attacker can bypass implemented security restrictions and delete any file on the system.

5) Weak Encoding for Password (CVE-ID: CVE-2022-38469)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to weak encoding for password. A remote attacker with the decryption key can decrypt sensitive data, such as usernames and passwords.

Remediation

Install update from vendor's website.

References

• https://digitalsupport.ge.com/s/article/GE-Digital-Product-Security-Advisory-GED-23-01
• https://www.cisa.gov/uscert/ics/advisories/icsa-23-017-01