Critical

CVE-2009-0216 - Credentials Management vulnerability in GE Fanuc Ifix

Publication: 2009-02-13
Summary

GE Fanuc iFIX 5.0 and earlier relies on client-side authentication involving a weakly encrypted local password file, which allows remote attackers to bypass intended access restrictions and start privileged server login sessions by recovering a password or by using a modified program module.

Classification
CWE-255: Credentials Management

Risk level (CVSS 10)

Critical

10.0

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

Affected Products

  • GE Fanuc Ifix 2.0
  • GE Fanuc Ifix 2.2
  • GE Fanuc Ifix 2.5
  • GE Fanuc Ifix 2.6
  • GE Fanuc Ifix 2.21
  • GE Fanuc Ifix 3.0
  • GE Fanuc Ifix 3.5
  • GE Fanuc Ifix 4.0
  • GE Fanuc Ifix 4.5
  • GE Fanuc Ifix 5.0