The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned of critical security shortcomings in GE’s Universal Relay (UR) family of power management devices.
“Successful exploitation of these vulnerabilities could allow an attacker to access sensitive information, reboot the UR, gain privileged access, or cause a denial-of-service condition,” the agency said in an advisory published on March 16.
GE’s universal relays enable integrated monitoring and metering, high-speed communications, and offer simplified power management for the protection of critical assets.
The flaws, which affect a number of UR advanced protection and control relays, including B30, B90, C30, C60, C70, C95, D30, D60, F35, F60, G30, G60, L30, L60, L90, M60, N60, T35 and T60, were addressed by GE with the release of an updated version of the UR firmware (version 8.10) made available on December 24, 2020.
The patches resolve a total of nine vulnerabilities, the most important of which concerns an insecure default variable initialization, referring to the initialization of an internal variable in the software with an insecure value. The vulnerability (CVE-2021-27426) is also rated 9.8 out of 10, making it a critical issue.
“By sending a specially crafted request, an attacker could exploit this vulnerability to bypass access restrictions,” IBM noted in its alert.A second severe vulnerability relates to unused hard-coded credentials in the bootloader binary (CVE-2021-27430, CVSS score 8.4), which could be exploited by an attacker “with physical access to the UR [Intelligent Electronic Device] can interrupt the boot sequence by rebooting the UR.”
Also fixed by GE is another high severity flaw (CVE-2021-27428, CVSS score 7.5) that could permit an unauthorized user to upgrade firmware without appropriate privileges.
Four other vulnerabilities involve two improper input validations (CVE-2021-27418, CVE-2021-27420) and two flaws concerning exposure of sensitive information to unauthorized parties (CVE-2021-27422, CVE-2021-27424), thereby exposing the device to cross-site scripting attacks, permitting an attacker to access critical information without authentication, and even render the webserver unresponsive.
Lastly, all versions of UR firmware prior to 8.1x were found to use weak encryption and MAC algorithms for SSH communication, making them more vulnerable to brute-force attacks.
“CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities,” the agency said. “Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet, [and] locate control system networks and remote devices behind firewalls and isolate them from the business network.”