-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0940
                  Advisory (icsa-21-075-02) GE UR family
                               17 March 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           GE UR Family
Publisher:         ICS-CERT
Operating System:  Network Appliance
Impact/Access:     Increased Privileges     -- Remote/Unauthenticated
                   Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
                   Unauthorised Access      -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-27430 CVE-2021-27428 CVE-2021-27426
                   CVE-2021-27424 CVE-2021-27422 CVE-2021-27420
                   CVE-2021-27418 CVE-2016-2183 CVE-1999-1085

Reference:         ASB-2018.0203
                   ASB-2017.0169
                   ASB-2017.0028
                   ASB-2016.0120
                   ESB-2019.0668
                   ESB-2018.3852.2

Original Bulletin: 
   https://us-cert.cisa.gov/ics/advisories/icsa-21-075-02

- --------------------------BEGIN INCLUDED TEXT--------------------

GE UR family

Original release date: March 16, 2021

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .



1. EXECUTIVE SUMMARY

  o CVSS v3 9.8
  o ATTENTION: Exploitable remotely/low skill level to exploit
  o Vendor: GE
  o Equipment: UR Family
  o Vulnerabilities: Inadequate Encryption Strength, Session Fixation, Exposure
    of Sensitive Information to an Unauthorized Actor, Improper Input
    Validation, Unrestricted Upload of File with Dangerous Type, Insecure
    Default Variable Initialization, Use of Hard-coded Credentials

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to
access sensitive information, reboot the UR, gain privileged access, or cause a
denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

GE reports the vulnerabilities affect the following UR family (B30, B90, C30,
C60, C70, C95, D30, D60, F35, F60, G30, G60, L30, L60, L90, M60, N60, T35, T60)
of advanced protection and control relays:

  o Vulnerabilities related to SSH Support: firmware versions 7.4x to 8.0x
    (CyberSentry option)
  o Web server vulnerabilities: all firmware versions prior to version 8.1x
  o Protection from unintended firmware upload: all firmware versions prior to
    8.1x with basic security option
  o Provisions to disable Factory Mode: all firmware versions prior to 8.1x
    with basic security option
  o Access to "Last-key pressed" register: all firmware versions prior to 8.1x
    with basic security option
  o Weakness in UR bootloader binary: all bootloader versions prior to 7.03/
    7.04

Please see GE publication GES-2021-004 (login required) for more information.

3.2 VULNERABILITY OVERVIEW

3.2.1 INADEQUATE ENCRYPTION STRENGTH CWE-326

Prior to UR firmware Version 8.1x, UR supported various encryption and MAC
algorithms for SSH communication, some of which are weak.

CVE-2016-2183 and CVE- 2013-2566 have been assigned to this vulnerability. A
CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N
/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N ).

3.2.2 SESSION FIXATION CWE-384

Prior to firmware Version 7.4x, UR supported only SSHv2. Starting from firmware
Version 7.4x, UR added support to SSHv1. SSHv1 has known vulnerabilities (SSH
protocol session key retrieval and insertion attack).

CVE-1999-1085 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:L/A:N ).

3.2.3 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200

Web server interface is supported on UR over HTTP protocol. It allows sensitive
information exposure without authentication.

CVE-2021-27422 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:N/A:N ).

3.2.4 IMPROPER INPUT VALIDATION CWE-20

UR supports web interface with read-only access. The device fails to properly
validate user input, making it possible to perform cross-site scripting
attacks, which may be used to send a malicious script. Also, UR Firmware web
server does not perform HTML encoding of user-supplied strings.

CVE-2021-27418 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:L/A:N ).

3.2.5 IMPROPER INPUT VALIDATION CWE-20

UR Firmware web server task does not properly handle receipt of unsupported
HTTP verbs, resulting in the web server becoming temporarily unresponsive after
receiving a series of unsupported HTTP requests. When unresponsive, the web
server is inaccessible. By itself, this is not particularly significant as the
relay remains effective in all other functionality and communication channels.

CVE-2021-27420 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:L ).

3.2.6 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

UR IED supports upgrading firmware using UR Setup configuration tool -
Enervista UR Setup. This UR Setup tool validates the authenticity and integrity
of firmware file before uploading the UR IED. An illegitimate user could
upgrade firmware without appropriate privileges. The weakness is assessed, and
mitigation is implemented in firmware Version 8.10.

CVE-2021-27428 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:N/A:N ).

3.2.7 INSECURE DEFAULT VARIABLE INITIALIZATION CWE-453

UR IED with "Basic" security variant does not allow the disabling of the
"Factory Mode," which is used for servicing the IED by a "Factory" user.

CVE-2021-27426 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).

3.2.8 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200

UR shares MODBUS memory map as part of the communications guide. GE was made
aware a "Last-key pressed" MODBUS register can be used to gain unauthorized
information.

CVE-2021-27424 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:L/I:N/A:N ).

3.2.9 USE OF HARD-CODED CREDENTIALS CWE-798

UR bootloader binary Version 7.00, 7.01 and 7.02 included unused hardcoded
credentials. Additionally, a user with physical access to the UR IED can
interrupt the boot sequence by rebooting the UR.

CVE-2021-27430 has been assigned to this vulnerability. A CVSS v3 base score of
8.4 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:N/S:U/
C:H/I:H/A:H ).

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Communications, Critical Manufacturing,
    Energy, Healthcare and Public Health, Transportation Systems, Water and
    Wastewater Systems
  o COUNTRIES/AREAS DEPLOYED: Worldwide
  o COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

SCADA-X, DOE's Cyber Testing for Resilient Industrial Control Systems (CyTRICS)
program, Verve Industrial, and VuMetric reported these vulnerabilities to GE.

4. MITIGATIONS

GE strongly recommends users with impacted firmware versions update their UR
devices to UR firmware Version 8.10, or greater to resolve these
vulnerabilities. GE provides additional mitigations and information about these
vulnerabilities in GE Publication Number: GES-2021-004 (login required).

GE recommends protecting UR IED by using network defense-in-depth practices.
This includes, but is not limited to, placing UR IED inside the control system
network security perimeter, and having access controls, monitoring (such as an
Intrusion Detection System), and other mitigating technologies in place.

GE recommends users refer to the UR Deployment guide for secure configuration
of UR IED and system.

CISA recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities. Specifically, users should:

  o Minimize network exposure for all control system devices and/or systems,
    and ensure that they are not accessible from the Internet .
  o Locate control system networks and remote devices behind firewalls, and
    isolate them from the business network.
  o When remote access is required, use secure methods, such as Virtual Private
    Networks (VPNs), recognizing VPNs may have vulnerabilities and should be
    updated to the most current version available. Also recognize VPN is only
    as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices
on the ICS webpage on us-cert.cisa.gov . Several recommended practices are
available for reading and download, including Improving Industrial Control
Systems Cybersecurity with Defense-in-Depth Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

For any questions related to this report, please contact the CISA at:

Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870

CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYFGBaONLKJtyKPYoAQg3JxAAiMIAsCcxGzz+Y5e8qzuS1Po8sCPdNdiq
ZAedAlRTNWgtKuMnO7kb2yFLbIwvkKgM247gP+NGkH645gW6sDpqLUBRGN4wS52a
98WYks4UeahO1kw+AXPrHjeQJzDEWP1KpOHKi8htiZJyyi1apJw0wp2KMJh9bJ76
X5QgdY535oCR0VbNvg2SpDnOmVf0ywCUGJD6Xdk2MOF5k+kwHe9J1zunEjdPvnZQ
sgVJBeWzIKc6jnMbFCv3pHcErS5EiG+PBa5kvsfKPXkOIH6xhTbNrM5Wt8BZ/qrH
dV8bDhmnWpSx8bQ//66QAaLct6qelQkS32ucFbxOI4Y8nGnhCWfYyi0eb1XiAJOB
XmqaQwOEQIw6WrCd/XlLKwBG610Auo6kkVexlzc7yOqgobyW0dlWCJbGkE+WyIwo
bCOpidL93K7XHintCK+bPNh+2KDOJIoicgH3YOKZS7R1WzmV4rkbFziDxncEgPaR
uk9Ycg516xysAtEJpd0AS+P1MLgxk/8zVraW1+JpsxCwI1nm+FdB59BDe6sqxZTG
mq/oyzqzx1ua/ZR58WQGJmWLKjl0KbVF/SgU9hOXqeJxGLiEs9zn4KQPXeIeXWz0
Uf84bDtwLIc809fHHZMME0648/RtKimPQfDZ0CUseJO0c4rp7rkFI786yQ3eKUPJ
TvINyixJ+vU=
=tmby
-----END PGP SIGNATURE-----