GE Bently Nevada 3500/22M

GE Bently Nevada 3500/22M Improper Authorization Vulnerability

CVE-2016-5788

3500

GE has identified an improper authorization vulnerability in the GE Bently Nevada 3500/22M monitoring system. GE has produced a new firmware version to mitigate this vulnerability in the USB version of the GE Bently Nevada 3500/22M monitoring system.

This vulnerability could be exploited remotely.

AFFECTED PRODUCT

The following GE Bently Nevada 3500/22M firmware versions are affected:

  • GE Bently Nevada 3500/22M (USB version), all versions prior to firmware Version 5.0, and
  • GE Bently Nevada 3500/22M (serial version), all versions.

IMPACT

Successful exploitation of the identified vulnerability may allow a remote attacker to gain unauthorized access to the affected device with elevated privileges.

Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.

BACKGROUND

GE Bently Nevada is a wholly owned subsidiary of GE, a US-based company that maintains offices in several countries around the world.

The affected product, GE Bently Nevada 3500/22M, is a vibration monitoring system. According to GE, the GE Bently Nevada 3500/22M is deployed across several sectors including Chemical and Energy. GE estimates that these products are used worldwide.

IMPROPER AUTHORIZATION

Several open ports have been identified on the affected device, which allow unauthorized access to the device with elevated privileges.

EXPLOITABILITY

This vulnerability could be exploited remotely.

MITIGATION

GE has released a new firmware version for the GE Bently Nevada 3500/22M TDI USB monitoring system, Version 5.0. GE’s new firmware can only be applied to the USB version of the GE Bently Nevada 3500/22M monitoring system. Users registered with a GE Bently Nevada Technical Support Agreement can download Version 5.0 and access GE’s Technical Information Letter (TIL-149700250)

http://www.bntechsupport.com