PulseNet: How do improper authentication flaws affect it?

The Department of Homeland Security's ICS-CERT issued an advisory for GE's PulseNet network management software, which is used for industrial control systems in critical infrastructures, warning of a critical, remotely exploitable vulnerability with low attack complexity. How does this improper authentication vulnerability work? How can other flaws affect PulseNet?

Vulnerabilities reported earlier this year in General Electric's (GE) MDS PulseNet line enable remote code execution via data exfiltration and directory traversal on the targeted systems, starting with bypassing the system's authentication mechanism to improperly authenticate remote users.

The improper authentication vulnerability is caused by a flawed in Java's Remote Method Invocation, which is the object-oriented equivalent of a Remote Procedure Call. The affected products include versions of GE's PulseNet and PulseNet Enterprise up to 3.2.1. Updating to the latest version of PulseNet mitigates the flaws.

An attacker can exploit this vulnerability to launch object-oriented applications and execute code in remote computers using web services, as the attacker can write applications that enable malicious objects to interact with computers in a distributed network. The objects can also include information to maliciously change the services currently performed in a remote computer, which can enable the attacker to exfiltrate data.

Two other flaws found in the affected products are improper restriction of an XML External Entity reference and relative path traversal.

Exploitation of the first flaw can lead to the exfiltration of confidential data from the host Windows platform, denial-of-service attacks and server-side request forgery. The parser is not configured properly to process XML input that includes a reference to an external entity, which means that attackers can execute remote code to disclose usernames, passwords and other targeted files.

The last flaw in the alert from ICS-CERT is a relative path traversal vulnerability that could enable an attacker to traverse the file system to read, create, delete or corrupt files. This flaw is in an external input that is used to construct a path name within a restricted directory. PulseNet doesn't properly neutralize sequences such as "..." which could be used to resolve a location beyond the restricted boundaries of the directory. Authentication is further bypassed when the attacker appends a new account to a password file or guesses the password by brute force.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)