GE iFix Unsafe ActiveX Control Scripting Vulnerability (CVE-2018-17925) Analysis

Critical Vulnerability Information Vulnerability Name: GE iFix CVSS v3 Score: 5.3 Concern: Remotely Exploitable / Low Skill Level Vendor: GE Affected Devices: iFix with Gigasoft components Vulnerability Type: Unsafe ActiveX Control Marked as Script-Safe (CWE-623) Risk Assessment Successful exploitation could lead to buffer overflow conditions. Technical Details 3.1 Affected Products GE reports that this vulnerability affects the following iFix HMI products: iFix 2.0 - 5.0 iFix 5.1 iFix 5.5 iFix 5.8 Gigasoft components prior to version 8.0 may also be used in products from other vendors. 3.2 Vulnerability Overview Multiple instances of this vulnerability were found in Gigasoft, a third-party ActiveX object used in GE iFix. The vulnerability only affects users who independently use the Gigasoft drawing package outside of the product. The reported method is not available within iFix products and is not considered a core issue of iFix’s core functionality. CVE-2018-17925 has been assigned to this vulnerability. Its CVSS v3 base score is 5.3, with the CVSS vector string: (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L). 3.3 Background Critical Infrastructure Sector: Multiple Sectors Deployment Countries/Regions: Worldwide Company Headquarters Location: United States 3.4 Researchers LiMingzheng from the 360 Aegis Security Team reported this vulnerability to NCCIC. Mitigation Measures GE released iFix 5.9 in June 2017, which resolved this issue by integrating Gigasoft Version 8.0. GE recommends users only use ActiveX controls from trusted sources. To obtain the latest version of iFix products, contact your local GE Digital representative. Contact information is available at: https://digital.ge.com/communities/CC_Contact. NCCIC recommends users implement defensive measures to reduce the risk of exploitation. Specifically, users should: Minimize network exposure of all control systems, ensuring they are not accessible from the internet. Place control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods such as Virtual Private Networks (VPNs), while recognizing that VPNs may have vulnerabilities and must be updated to the latest versions. Note that VPNs are only as secure as the devices they connect to.

Goal Reached Thanks to every supporter — we hit 100%!

GE iFix Unsafe ActiveX Control Scripting Vulnerability (CVE-2018-17925) Analysis