ICSA-18-151-02 · Published 2018-05-31 · View on CISA ICS-CERT ↗

GE MDS PulseNET and MDS PulseNET Enterprise

CVSS 7.3 HIGH

Risk Summary

Exploitation of these vulnerabilities may allow elevation of privilege and exfiltration of information on the host platform.

CVE-2018-10611 CVE-2018-10613 CVE-2018-10615

GE has modified the product architecture and software of PulseNET. The latest version mitigates these specific vulnerabilities. GE encourages users to update PulseNET to Version 4.1 or newer to eliminate these vulnerabilities.
Updates for PulseNET are available
Updates to PulsetNET Enterprise are available
In addition, GE recommends securing the PulseNET server using a defense in depth approach.
Electronic and physical access to the PulseNET server is limited to only authorized individuals and clients
The host server is dedicated to the PulseNET application only
The PulseNET server is not accessible from the Internet
The principle of least privilege is applied to the host operating system
The PulseNET server is appropriately hardened and maintained to the current patch level as prescribed by the OEM
The PulseNET server is restricted to communicating with MDS hosts only.
GE has published a product bulletin with mitigation for these vulnerabilities on their webpage

General Electric (GE)

General Electric (GE) · PulseNET Enterprise <= 3.2.1

General Electric (GE) · PulseNET <= 3.2.1

Energy, Water and Wastewater Systems, and others

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.