ID

VAR-200902-0500

CVE

CVE-2009-0216

TITLE

ge_fanuc ifix Bypass access restriction vulnerability

DESCRIPTION

GE Fanuc iFIX 5.0 and earlier relies on client-side authentication involving a weakly encrypted local password file, which allows remote attackers to bypass intended access restrictions and start privileged server login sessions by recovering a password or by using a modified program module. Vulnerabilities in the way GE Fanuc iFIX handles authentication could allow a remote attacker to log on to the system with elevated privileges. Microsoft Windows fails to properly handle the NoDriveTypeAutoRun registry value, which may prevent Windows from effectively disabling AutoRun and AutoPlay features. GE Fanuc iFIX Is Human Machine Interface With components, Microsoft Windows CE , NT , 2000 , Server 2003 , XP and Vista Work on SCADA client / Server software. iFIX Vulnerabilities exist in authentication. The user name and password are stored in a local file on the client side, and the password is encrypted with a low-strength algorithm. GE Fanuc according to: Attackers can gain copies of this file in two ways. The first way requires that an attacker have an interactive session with the computer containing the file, such as a direct login, or through a remote terminal session, VNC, or some other remote session providing access to a command shell. Using the shell, the attacker can simply copy the file and extract the passwords at some later point. Another way an attacker can gain access to this file is by intercepting the file over the network. This can occur if the file is shared between two computers using Microsoft WindowsR network sharing. In this case, an attacker may be able to recreate the file by using a network sniffer to monitor network traffic between them. iFIX Since authentication is performed within the client, an attacker could tamper and replace the authentication module. GE Fanuc according to: Authentication and authorization of users are implemented through certain program modules. These modules can be modified at the binary level to bypass user authentication. To exploit this type of attack, an attacker needs to be able to launch unauthorized applications from an interactive shell. Also, iFIX Is Technical Cyber Security Alert TA09-020A Published on “Microsoft Windows Notes on disabling the auto-execution function ” There is a possibility of being affected. Any code executed using the auto-execution function iFIX Enviroment Protection May result in the authentication module being tampered with and replaced.An attacker could gain access to a file containing authentication information or intercept network traffic. As a result, by the attacker iFIX Unauthorized access to the system is possible. GE Fanuc iFIX 5.0 are earlier are vulnerable. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA09-020A Microsoft Windows Does Not Disable AutoRun Properly Original release date: January 20, 2009 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows Overview Disabling AutoRun on Microsoft Windows systems can help prevent the spread of malicious code. However, Microsoft's guidelines for disabling AutoRun are not fully effective, which could be considered a vulnerability. I. Description Microsoft Windows includes an AutoRun feature, which can automatically run code when removable devices are connected to the computer. AutoRun (and the closely related AutoPlay) can unexpectedly cause arbitrary code execution in the following situations: * A removable device is connected to a computer. This includes, but is not limited to, inserting a CD or DVD, connecting a USB or Firewire device, or mapping a network drive. This connection can result in code execution without any additional user interaction. * A user clicks the drive icon for a removable device in Windows Explorer. Rather than exploring the drive's contents, this action can cause code execution. * The user selects an option from the AutoPlay dialog that is displayed when a removable device is connected. Malicious software, such as W32.Downadup, is using AutoRun to spread. Disabling AutoRun, as specified in the CERT/CC Vulnerability Analysis blog, is an effective way of helping to prevent the spread of malicious code. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed. II. Impact By placing an Autorun.inf file on a device, an attacker may be able to automatically execute arbitrary code when the device is connected to a Windows system. Code execution may also take place when the user attempts to browse to the software location with Windows Explorer. III. We recommend restarting Windows after making the registry change so that any cached mount points are reinitialized in a way that ignores the Autorun.inf file. Alternatively, the following registry key may be deleted: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 Once these changes have been made, all of the AutoRun code execution scenarios described above will be mitigated because Windows will no longer parse Autorun.inf files to determine which actions to take. Further details are available in the CERT/CC Vulnerability Analysis blog. Thanks to Nick Brown and Emin Atac for providing the workaround. IV. References * The Dangers of Windows AutoRun - <http://www.cert.org/blogs/vuls/2008/04/the_dangers_of_windows_autorun.html> * US-CERT Vulnerability Note VU#889747 - <http://www.kb.cert.org/vuls/id/889747> * Nick Brown's blog: Memory stick worms - <http://nick.brown.free.fr/blog/2007/10/memory-stick-worms> * TR08-004 Disabling Autorun - <http://www.publicsafety.gc.ca/prg/em/ccirc/2008/tr08-004-eng.aspx> * How to Enable or Disable Automatically Running CD-ROMs - <http://support.microsoft.com/kb/155217> * NoDriveTypeAutoRun - <http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/91525.mspx> * Autorun.inf Entries - <http://msdn.microsoft.com/en-us/library/bb776823(VS.85).aspx> * W32.Downadup - <http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99> * MS08-067 Worm, Downadup/Conflicker - <http://www.f-secure.com/weblog/archives/00001576.html> * Social Engineering Autoplay and Windows 7 - <http://www.f-secure.com/weblog/archives/00001586.html> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA09-020A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA09-020A Feedback VU#889747" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History January 20, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSXYqQnIHljM+H4irAQL9EAgAwE5XWd+83CTwTl1vAbDW3sNfCaucmj79 VmXJ+GktQorbcp29fktYaQxXZ2A6qBREJ1FfwlM5BT0WftvGppLoQcQO3vbbwEQF M0VG5xZhTOi8tf4nedBDgDj0ENJBgh6C73G5uZfVatQdFi79TFkf9SVe6xn5BkQm 5kKsly0d/CX/te15zZLd05AJVEVilbZcECUeDVAYDvWcQSkx2OsJFb+WkuWI9Loh zkB7uOeZFY9bgrC04nr9DPHpaPFd8KCXegsxjqN1nIraaCabfvNamriqyUFHwAhK sk/DFSjdI6xJ4fXjDQ77wfgLYyTeYQ/b2U/1sqkbOTdCgXqSop5RrA== =6/cp -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Windows Vista "NoDriveTypeAutoRun" Security Issue SECUNIA ADVISORY ID: SA29458 VERIFY ADVISORY: http://secunia.com/advisories/29458/ CRITICAL: Not critical IMPACT: Security Bypass WHERE: Local system OPERATING SYSTEM: Microsoft Windows Vista http://secunia.com/product/13223/ DESCRIPTION: CERT/CC has reported a security issue in Windows Vista, which can be exploited by malicious people to bypass certain security settings. AutoPlay is a feature designed to immediately begin reading from a drive (e.g. run a setup file) when a media is inserted. Successful exploitation may result in execution of arbitrary code, but requires physical access to a vulnerable system or that a user is tricked into inserting a malicious media (e.g. USB device). SOLUTION: Restrict access to affected systems. Do not insert any untrusted media even with the registry key value set to disable AutoPlay for all drives. PROVIDED AND/OR DISCOVERED BY: Will Dormann and Jeff Gennari, CERT/CC. ORIGINAL ADVISORY: US-CERT VU#889747: http://www.kb.cert.org/vuls/id/889747 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . This can be exploited to gain knowledge of user names and passwords by obtaining (e.g. by modifying certain used modules. 3) It is possible to bypass the run-time Environment Protection via the Autoplay feature by attaching an external storage device containing an automatically launched script. Use in a trusted network environment only. Description The presence of a Conficker infection may be detected if a user is unable to surf to the following websites: * http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid=us_ghp_link_conficker_worm * http://www.mcafee.com If a user is unable to reach either of these websites, a Conficker infection may be indicated (the most current variant of Conficker interferes with queries for these sites, preventing a user from visiting them). If a Conficker infection is suspected, the infected system should be removed from the network. Major anti-virus vendors and Microsoft have released several free tools that can verify the presence of a Conficker infection and remove the worm. Instructions for manually removing a Conficker infection from a system have been published by Microsoft in http://support.microsoft.com/kb/962007. Solution US-CERT encourages users to prevent a Conficker infection by ensuring all systems have the MS08-067 patch (part of Security Update KB958644, which was published by Miscrosoft in October 2008), disabling AutoRun functionality (see http://www.us-cert.gov/cas/techalerts/TA09-020A.html), and maintaining up-to-date anti-virus software

IOT TAXONOMY

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

Trust management

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Rayford Vaughn and Robert Wesley McGrew at Mississippi State University.

SOURCES

LAST UPDATE DATE

2025-04-10T22:26:47.131000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE