The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a security alert about vulnerabilities that affect the GE Universal Relay (UR) family series of products. The notice was generated due to GE reporting the vulnerabilities, and subsequent patches, to the agency. Universal Relay products are used for power management in utilities worldwide. GE says they provide utilities with the technology “to maximize the performance of their electrical systems’ protection and control elements.”
According to the alert, there are nine vulnerabilities in total, and they collectively score a critical 9.8 on the Common Vulnerability Scoring System (CVSS).
The security advisory states the following about these UR family vulnerabilities:
Vulnerabilities: Inadequate Encryption Strength, Session Fixation, Exposure of Sensitive Information to an Unauthorized Actor, Improper Input Validation, Unrestricted Upload of File with Dangerous Type, Insecure Default Variable Initialization, Use of Hard-coded Credentials
GE reports the vulnerabilities affect the following UR family (B30, B90, C30, C60, C70, C95, D30, D60, F35, F60, G30, G60, L30, L60, L90, M60, N60, T35, T60) of advanced protection and control relays:
- Vulnerabilities related to SSH Support: firmware versions 7.4x to 8.0x (CyberSentry option)
- Web server vulnerabilities: all firmware versions prior to version 8.1x
- Protection from unintended firmware upload: all firmware versions prior to 8.1x with basic security option
- Provisions to disable Factory Mode: all firmware versions prior to 8.1x with basic security option
- Access to “Last-key pressed” register: all firmware versions prior to 8.1x with basic security option
- Weakness in UR bootloader binary: all bootloader versions prior to 7.03/7.04
The UR family vulnerabilities do not require a high skill level to exploit, and additionally, they can be exploited remotely. If successfully exploited, a whole host of options open up for a threat actor that has access. The cybercriminal in question can reboot the UR at will, create denial-of-service, access sensitive data, and also engage in privilege escalation to the point of gaining high-level access. It is especially worrisome in a current climate where cybercriminals and nation-states are targeting critical infrastructure.
GE has issued patches for all of the affected products and highly recommends firmware updates be implemented as soon as possible.
Featured image: Wikimedia