You are here

GE MDS PulseNET and MDS PulseNET Enterprise (ICSA-18-151-02) – Products Used in the Water and Wastewater and Energy Sectors

GE MDS PulseNET and MDS PulseNET Enterprise (ICSA-18-151-02) – Products Used in the Water and Wastewater and Energy Sectors

Created: Friday, June 1, 2018 - 00:00
Categories:
Cybersecurity

The NCCIC has released an advisory on improper authentication, improper restriction of XML external entity reference, and relative path traversal vulnerabilities in GE MDS PulseNET and MDS PulseNET Enterprise. Versions 3.2.1 and prior of both GE MDS PulseNet and MDS PulseNET Enterprise are affected. Exploitation of these vulnerabilities may allow elevation of privilege and exfiltration of information on the host platform. GE has modified the product architecture and software of PulseNET. The latest version mitigates these specific vulnerabilities. GE encourages users to update PulseNET to Version 4.1 or newer to eliminate these vulnerabilities. The NCCIC also recommends a series of defensive measures to minimize the risk of exploitation of these vulnerabilities. NCCIC/ICS-CERT.