What is CVE-2021-44477?

CVE-2021-44477 is an XML external entity (XXE) vulnerability in GE Gas Power ToolBoxST Version v04.07.05C.

What is the severity of CVE-2021-44477?

CVE-2021-44477 has a severity rating of 7.5 (High).

How can I fix CVE-2021-44477?

To fix CVE-2021-44477, update GE Gas Power ToolBoxST to version 07.09.07c or higher.

Where can I find more information about CVE-2021-44477?

More information about CVE-2021-44477 can be found at https://www.cisa.gov/uscert/ics/advisories/icsa-22-025-01.

Vulnerability/
CVE-2021-44477

high

7.5

CWE

611

25/3/2022

17/9/2024

CVE-2021-44477: GE Gas Power ToolBoxST Improper Restriction of XML External Entity Reference

Q: How does CVE-2021-44477 affect GE Gas Power ToolBoxST?

CVE-2021-44477 allows for disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack.

First published: Fri Mar 25 2022(Updated: )

GE Gas Power ToolBoxST Version v04.07.05C suffers from an XML external entity (XXE) vulnerability using the DTD parameter entities technique that could result in disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project/template file.

Credit: ics-cert@hq.dhs.gov

Affected Software	Affected Version	How to fix
Ge Toolboxst	<07.09.07c
GE Gas Power ToolBoxST OSC	<07.09.07	07.09.07

Remedy

GE addressed CVE-2021-44477 in ToolBoxST OS Version 07.09.07C and above by disabling the use of DTD’s, which are not necessary for ToolBoxST functionality. GE upgraded the Ionic library in ToolBoxST Version 7.8.0 to resolve CVE-2018-16202 Users should ensure they follow the password protection and network segmentation guidance laid out in GEH-6839 Secure Deployment Guide. Additionally, the use of SDI Secure Mode offers considerable protection against this attack as the threat actor must be able to perform a download to the controller over SDI. Secure Mode validates authenticity and protects against spoofing of SDI commands.

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

ICSA-22-025-01

Frequently Asked Questions

What is CVE-2021-44477?
CVE-2021-44477 is an XML external entity (XXE) vulnerability in GE Gas Power ToolBoxST Version v04.07.05C.
How does CVE-2021-44477 affect GE Gas Power ToolBoxST?
CVE-2021-44477 allows for disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack.
What is the severity of CVE-2021-44477?
CVE-2021-44477 has a severity rating of 7.5 (High).
How can I fix CVE-2021-44477?
To fix CVE-2021-44477, update GE Gas Power ToolBoxST to version 07.09.07c or higher.
Where can I find more information about CVE-2021-44477?
More information about CVE-2021-44477 can be found at https://www.cisa.gov/uscert/ics/advisories/icsa-22-025-01.

collector/nvd-index
agent/type
collector/mitre-cve
source/MITRE
agent/weakness
agent/last-modified-date
agent/title
agent/author
agent/remedy
agent/description
agent/first-publish-date
agent/references
agent/severity
agent/softwarecombine
agent/tags
agent/event
collector/ics-cert-advisory
source/ICS
agent/software-canonical-lookup
vendor/ge
canonical/ge toolboxst
vendor/ge gas power
canonical/ge gas power toolboxst osc

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.