| Developers: | General Electric (GE) |
| Branches: | Information technologies |
| Technology: | ITSM - Management systems for IT service |
2019: The sewed credentials and bugs of date leak
On May 7, 2019 it became known that in the solution GE Communicator used for a configuration of power meters of General Electric a number of vulnerabilities, including existence of the sewed credentials and information leak bugs is revealed.
Problems give an opportunity to acquire the administrator's rights at the workstation using SOFTWARE GE Communicator, however their operation requires or existence of network access to the station (and to settings firewall Windows), or local access with the privileges of the normal user. Remote operation is also possible, but is improbable as software, as a rule, works on devices where services are not open directly.
In total in the solution five vulnerabilities are revealed. One of them is connected (CVE-2019-6548) with existence of two accounts with the built-in credentials using which attacking can intercept control over the database of the application. According to warning of the ICS-CERT command, operation of vulnerability can be prevented if default settings of the Windows firewall are set.
Vulnerabilities of CVE-2019-6546 and CVE-2019-6564 allow the user without the rights of the administrator to place the harmful file in the folder of installation and to acquire the administrator's rights during process of installation or updating or, having implemented specially created file in the working folder, to manipulate widgets and elements of the interface.
One more problem (CVE-2019-6566) gives an opportunity to increase privileges by replacement of the GE Communicator uninstaller with the harmful file. At last, the last bug (CVE-2019-6544) affects the service working with system privileges. Attacking with low privileges can use vulnerability for accomplishment of certain administrative actions, for example, to start the planned scripts with the privileges of the administrator.
Vulnerabilities mention versions of GE Communicator (components Communicator Installer, Communicator Application, Communicator PostGreSQL, Communicator MeterManager, Communicator WISE Uninstaller) till 4.0.517. The corrected versions of a product are available on the website of the producer[1].
Notes
| The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible. |