ICSA-19-281-02 · Published 2019-10-08 · View on CISA ICS-CERT ↗

GE Mark VIe Controller

CVSS 6.8 MEDIUM

Risk Summary

Successful exploitation of these vulnerabilities could allow an attacker to create read/write/execute commands within the Mark VIe control system.

CVE-2019-13554 CVE-2019-13559

Disable the Telnet service (Telnet was enabled by default on Mark VIe controllers with versions of Control*ST earlier than v6.0).
Reset controller passwords upon transfer of Mark VIe to the operating environment
GE Mark VIe Control system owners can request access and find instructions in GEH-6808, Control*ST Software Suite How to Guidelines.
GE Mark VIe Control system owners can reference GEH-6839, Secure Deployment Guidelines, for further instruction on security actions with installation and maintenance of their control system.
GE recommends organizations employ a defense-in-depth strategy through user authentication and authorization with features native to the control system to remediate security risk against the communication protocol vulnerabilities described.
For more information contact GE at https://www.ge.com/security

General Electric (GE)

General Electric (GE) · GE Mark Vle Controller vers:all/*

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.