
GE Digital recommends users immediately upgrade all instances of the affected software to GE Digital’s iFIX product v6.5.

Sharon Brizinov of Claroty also reported these vulnerabilities separately to GE. William Knowles of Applied Risk reported these vulnerabilities to CISA.

A CVSS v3 base score of 6.1 has been calculated the CVSS vector string is ( AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N). This may allow privilege escalation.ĬVE-2019-18255 has been assigned to this vulnerability. The affected product allows a local authenticated user to modify system-wide iFIX configurations through section objects. 3.2.2 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732 This may allow privilege escalation.ĬVE-2019-18243 has been assigned to this vulnerability. The affected product allows a local authenticated user to modify system-wide iFIX configurations through the registry.

TECHNICAL DETAILS 3.1 AFFECTED PRODUCTSģ.2 VULNERABILITY OVERVIEW 3.2.1 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732 Successful exploitation of these vulnerabilities could allow an attacker to escalate their privileges.
