Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0940 Advisory (icsa-21-075-02) GE UR family 17 March 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: GE UR Family Publisher: ICS-CERT Operating System: Network Appliance Impact/Access: Increased Privileges -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-27430 CVE-2021-27428 CVE-2021-27426 CVE-2021-27424 CVE-2021-27422 CVE-2021-27420 CVE-2021-27418 CVE-2016-2183 CVE-1999-1085 Reference: ASB-2018.0203 ASB-2017.0169 ASB-2017.0028 ASB-2016.0120 ESB-2019.0668 ESB-2018.3852.2 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-21-075-02 - --------------------------BEGIN INCLUDED TEXT-------------------- GE UR family Original release date: March 16, 2021 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 9.8 o ATTENTION: Exploitable remotely/low skill level to exploit o Vendor: GE o Equipment: UR Family o Vulnerabilities: Inadequate Encryption Strength, Session Fixation, Exposure of Sensitive Information to an Unauthorized Actor, Improper Input Validation, Unrestricted Upload of File with Dangerous Type, Insecure Default Variable Initialization, Use of Hard-coded Credentials 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to access sensitive information, reboot the UR, gain privileged access, or cause a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS GE reports the vulnerabilities affect the following UR family (B30, B90, C30, C60, C70, C95, D30, D60, F35, F60, G30, G60, L30, L60, L90, M60, N60, T35, T60) of advanced protection and control relays: o Vulnerabilities related to SSH Support: firmware versions 7.4x to 8.0x (CyberSentry option) o Web server vulnerabilities: all firmware versions prior to version 8.1x o Protection from unintended firmware upload: all firmware versions prior to 8.1x with basic security option o Provisions to disable Factory Mode: all firmware versions prior to 8.1x with basic security option o Access to "Last-key pressed" register: all firmware versions prior to 8.1x with basic security option o Weakness in UR bootloader binary: all bootloader versions prior to 7.03/ 7.04 Please see GE publication GES-2021-004 (login required) for more information. 3.2 VULNERABILITY OVERVIEW 3.2.1 INADEQUATE ENCRYPTION STRENGTH CWE-326 Prior to UR firmware Version 8.1x, UR supported various encryption and MAC algorithms for SSH communication, some of which are weak. CVE-2016-2183 and CVE- 2013-2566 have been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N /AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N ). 3.2.2 SESSION FIXATION CWE-384 Prior to firmware Version 7.4x, UR supported only SSHv2. Starting from firmware Version 7.4x, UR added support to SSHv1. SSHv1 has known vulnerabilities (SSH protocol session key retrieval and insertion attack). CVE-1999-1085 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:L/A:N ). 3.2.3 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200 Web server interface is supported on UR over HTTP protocol. It allows sensitive information exposure without authentication. CVE-2021-27422 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:N/A:N ). 3.2.4 IMPROPER INPUT VALIDATION CWE-20 UR supports web interface with read-only access. The device fails to properly validate user input, making it possible to perform cross-site scripting attacks, which may be used to send a malicious script. Also, UR Firmware web server does not perform HTML encoding of user-supplied strings. CVE-2021-27418 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:L/A:N ). 3.2.5 IMPROPER INPUT VALIDATION CWE-20 UR Firmware web server task does not properly handle receipt of unsupported HTTP verbs, resulting in the web server becoming temporarily unresponsive after receiving a series of unsupported HTTP requests. When unresponsive, the web server is inaccessible. By itself, this is not particularly significant as the relay remains effective in all other functionality and communication channels. CVE-2021-27420 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:L ). 3.2.6 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434 UR IED supports upgrading firmware using UR Setup configuration tool - Enervista UR Setup. This UR Setup tool validates the authenticity and integrity of firmware file before uploading the UR IED. An illegitimate user could upgrade firmware without appropriate privileges. The weakness is assessed, and mitigation is implemented in firmware Version 8.10. CVE-2021-27428 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:N/A:N ). 3.2.7 INSECURE DEFAULT VARIABLE INITIALIZATION CWE-453 UR IED with "Basic" security variant does not allow the disabling of the "Factory Mode," which is used for servicing the IED by a "Factory" user. CVE-2021-27426 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.8 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200 UR shares MODBUS memory map as part of the communications guide. GE was made aware a "Last-key pressed" MODBUS register can be used to gain unauthorized information. CVE-2021-27424 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:N/A:N ). 3.2.9 USE OF HARD-CODED CREDENTIALS CWE-798 UR bootloader binary Version 7.00, 7.01 and 7.02 included unused hardcoded credentials. Additionally, a user with physical access to the UR IED can interrupt the boot sequence by rebooting the UR. CVE-2021-27430 has been assigned to this vulnerability. A CVSS v3 base score of 8.4 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Communications, Critical Manufacturing, Energy, Healthcare and Public Health, Transportation Systems, Water and Wastewater Systems o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER SCADA-X, DOE's Cyber Testing for Resilient Industrial Control Systems (CyTRICS) program, Verve Industrial, and VuMetric reported these vulnerabilities to GE. 4. MITIGATIONS GE strongly recommends users with impacted firmware versions update their UR devices to UR firmware Version 8.10, or greater to resolve these vulnerabilities. GE provides additional mitigations and information about these vulnerabilities in GE Publication Number: GES-2021-004 (login required). GE recommends protecting UR IED by using network defense-in-depth practices. This includes, but is not limited to, placing UR IED inside the control system network security perimeter, and having access controls, monitoring (such as an Intrusion Detection System), and other mitigating technologies in place. GE recommends users refer to the UR Deployment guide for secure configuration of UR IED and system. CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls, and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.cisa.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYFGBaONLKJtyKPYoAQg3JxAAiMIAsCcxGzz+Y5e8qzuS1Po8sCPdNdiq ZAedAlRTNWgtKuMnO7kb2yFLbIwvkKgM247gP+NGkH645gW6sDpqLUBRGN4wS52a 98WYks4UeahO1kw+AXPrHjeQJzDEWP1KpOHKi8htiZJyyi1apJw0wp2KMJh9bJ76 X5QgdY535oCR0VbNvg2SpDnOmVf0ywCUGJD6Xdk2MOF5k+kwHe9J1zunEjdPvnZQ sgVJBeWzIKc6jnMbFCv3pHcErS5EiG+PBa5kvsfKPXkOIH6xhTbNrM5Wt8BZ/qrH dV8bDhmnWpSx8bQ//66QAaLct6qelQkS32ucFbxOI4Y8nGnhCWfYyi0eb1XiAJOB XmqaQwOEQIw6WrCd/XlLKwBG610Auo6kkVexlzc7yOqgobyW0dlWCJbGkE+WyIwo bCOpidL93K7XHintCK+bPNh+2KDOJIoicgH3YOKZS7R1WzmV4rkbFziDxncEgPaR uk9Ycg516xysAtEJpd0AS+P1MLgxk/8zVraW1+JpsxCwI1nm+FdB59BDe6sqxZTG mq/oyzqzx1ua/ZR58WQGJmWLKjl0KbVF/SgU9hOXqeJxGLiEs9zn4KQPXeIeXWz0 Uf84bDtwLIc809fHHZMME0648/RtKimPQfDZ0CUseJO0c4rp7rkFI786yQ3eKUPJ TvINyixJ+vU= =tmby -----END PGP SIGNATURE-----