CISA is warning of vulnerabilities in GE Power Management Devices

U.S. Cybersecurity & Infrastructure Security Agency (CISA) warns of flaws in GE Power Management Devices that could allow an attacker to conduct multiple malicious activities on vulnerable systems.

U.S. Cybersecurity & Infrastructure Security Agency (CISA) warns of vulnerabilities in GE Power Management Devices that could be exploited by an attacker to conduct multiple malicious activities on systems belonging to the Universal Relay (UR) family.

The flaws could be exploited to access sensitive information, reboot the device, trigger a denial-of-service condition, and gain privileged access.

The types of vulnerabilities affecting the devices are Inadequate Encryption Strength, Session Fixation, Exposure of Sensitive Information to an Unauthorized Actor, Improper Input Validation, Unrestricted Upload of File with Dangerous Type, Insecure Default Variable Initialization, Use of Hard-coded Credentials.

“Successful exploitation of these vulnerabilities could allow an attacker to access sensitive information, reboot the UR, gain privileged access, or cause a denial-of-service condition.” reads the alert published by CISA.

GE’s UR devices are used to control and protect the power consumption of various devices. Affected UR families are B30, B90, C30, C60, C70, C95, D30, D60, F35, F60, G30, G60, L30, L60, L90, M60, N60, T35, T60. The vendor released security updates for all these devices and urges customers to update their installs, it also released mitigations to address the flaws.

“GE strongly recommends users with impacted firmware versions update their UR devices to UR firmware Version 8.10, or greater to resolve these vulnerabilities. GE provides additional mitigations and information about these vulnerabilities in GE Publication Number: GES-2021-004 (login required).” continues the alert.

The most severe issue addressed by the vendor is a critical “INSECURE DEFAULT VARIABLE INITIALIZATION” issue tracked as CVE-2021-27426 and rated with a CVSS score of 9.8 out of 10.

“UR IED with “Basic” security variant does not allow the disabling of the “Factory Mode,” which is used for servicing the IED by a “Factory” user.” reads the advisory for this flaw.

The vulnerability could be exploited by a remote attacker to bypass security restrictions.

“GE UR family could allow a remote attacker to bypass security restrictions, caused by insecure default variable initialization in UR IED. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions.” reads the advisory published by IBM X-Force.

Another high-severity issue addressed by the vendor is related to the “USE OF HARD-CODED CREDENTIALS tracked as CVE-2021-27430 that received a CVSS score of 8.4.

“UR bootloader binary Version 7.00, 7.01 and 7.02 included unused hardcoded credentials. Additionally, a user with physical access to the UR IED can interrupt the boot sequence by rebooting the UR.” continues the advisory.

GE also addressed a high-severity issue, an EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR, tracked as CVE-2021-27422 and rated with a CVSS v3 base score of 7.5.

“Web server interface is supported on UR over HTTP protocol. It allows sensitive information exposure without authentication.” continues the alert.

GE recommends the implementation of network defense-in-depth practices to protect UR IED, including placing UR IED inside the control system network security perimeter, and having access controls, monitoring (such as an Intrusion Detection System), and other mitigating technologies in place. 

“CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities.” states CISA. “Specifically, users should:

• Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

[adrotate banner=”5″]

[adrotate banner=”13″]