Rewterz Threat Advisory – ICS: GE Gas Power ToolBoxST

Severity

High

Analysis Summary

CVE-2021-44477

GE Gas Power ToolBoxST Version v04.07.05C suffers from an XML external entity (XXE) vulnerability using the DTD parameter entities technique that could result in disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project/template file.

CVE-2018-16202

ToolBoxST prior to Version 7.8.0 uses a vulnerable version of the Ionic .NET Zip library that does not properly sanitize path names allowing files to be extracted to a location above their parent directory and back to the root directory. If an attacker compromises an HMI or creates their own SDI client, they can upload the device.zip file from a controller, patch it to contain a malicious file and path, and download it back to the controller. The next user to perform an upload could grab the malicious device.zip and extract it to their HMI, creating the potential for arbitrary write, overwrite, and execution.

Impact

• Data Exfiltration
• Code Execution

Affected Vendors

• GE

Affected Products

• ToolBoxST OS: All versions prior to 07.09.07C

Remediation

Refer to CISA Advisory for the patch, upgrade, or suggested workaround information.