CVE-2012-2516: OS Command Injection
First published: Thu Jul 05 2012(Updated: )
An ActiveX control in KeyHelp.ocx in KeyWorks KeyHelp Module (aka the HTML Help component), as used in GE Intelligent Platforms Proficy Historian 3.1, 3.5, 4.0, and 4.5; Proficy HMI/SCADA iFIX 5.0 and 5.1; Proficy Pulse 1.0; Proficy Batch Execution 5.6; SI7 I/O Driver 7.20 through 7.42; and other products, allows remote attackers to execute arbitrary commands via crafted input, related to a "command injection vulnerability."
Credit: ics-cert@hq.dhs.gov
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GE Intelligent Platforms Proficy Batch Execution | =5.6 | |
| GE Proficy Historian | =3.1 | |
| GE Proficy Historian | =3.5 | |
| GE Proficy Historian | =4.0 | |
| GE Proficy Historian | =4.5 | |
| GE Intelligent Platforms Proficy HMI/SCADA iFIX | =5.0 | |
| GE Intelligent Platforms Proficy HMI/SCADA iFIX | =5.1 | |
| GE Intelligent Platforms Proficy Pulse | =1.0 | |
| GE Intelligent Platforms Si7 I/O Driver | =7.20 | |
| GE Intelligent Platforms Si7 I/O Driver | =7.42 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2012-2516?
CVE-2012-2516 has a high severity due to its potential for remote code execution.
How do I fix CVE-2012-2516?
To fix CVE-2012-2516, users should update to the latest versions of the affected GE Intelligent Platforms software components.
Which software versions are affected by CVE-2012-2516?
CVE-2012-2516 affects GE Intelligent Platforms Proficy Historian versions 3.1, 3.5, 4.0, and 4.5, Proficy HMI/SCADA iFIX 5.0 and 5.1, Proficy Pulse 1.0, Proficy Batch Execution 5.6, and SI7 I/O Driver versions 7.20 and 7.42.
What type of vulnerability is CVE-2012-2516?
CVE-2012-2516 is identified as a remote code execution vulnerability in an ActiveX control.
Is there a workaround for CVE-2012-2516 if I cannot update software?
As a temporary measure, users may consider disabling the ActiveX control in question to mitigate the risk associated with CVE-2012-2516.
- agent/weakness
- agent/references
- agent/type
- agent/softwarecombine
- agent/author
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/ge
- canonical/ge intelligent platforms proficy batch execution
- version/ge intelligent platforms proficy batch execution/5.6
- canonical/ge proficy historian
- version/ge proficy historian/3.1
- version/ge proficy historian/3.5
- version/ge proficy historian/4.0
- version/ge proficy historian/4.5
- canonical/ge intelligent platforms proficy hmi/scada ifix
- version/ge intelligent platforms proficy hmi/scada ifix/5.0
- version/ge intelligent platforms proficy hmi/scada ifix/5.1
- canonical/ge intelligent platforms proficy pulse
- version/ge intelligent platforms proficy pulse/1.0
- canonical/ge intelligent platforms si7 i/o driver
- version/ge intelligent platforms si7 i/o driver/7.20
- version/ge intelligent platforms si7 i/o driver/7.42