The Cybersecurity and Infrastructure Security Agency (CISA) announced this week the presence of several vulnerabilities in GE’s Universal Relay (UR) equipment, Hitachi ABB Power Grids’ eSOMS products and AFS Series, and Advantech’s WebAccess/SCADA equipment deployed in the critical infrastructure sector.
The security loopholes found in GE’s UR systems could allow an attacker to access sensitive information, reboot the UR, gain privileged access, or cause a denial-of-service condition. SCADA-X, DOE’s Cyber Testing for Resilient Industrial Control Systems (CyTRICS) program, Verve Industrial and VuMetric reported these vulnerabilities to GE, according to CISA.
Researchers from industrial cybersecurity firm Verve found that the GE products in question could allow unrestricted file uploads via the official OEM tool, including of unsigned and unvalidated firmware. The Verve team also reported exposure of sensitive information (insecure Modbus functions and non-standard behavior) and the presence of hard-coded credentials in the associated bootloader that could be leveraged by an attacker when interrupting the boot sequence, the company said in a blog post.
Other issues covered include inadequate encryption, weaknesses in SSH implementation, use of insecure HTTP, poor input validation, and an inability to disable the devices’ factory service mode, Verve added.
Advisories such as these are concerning, but no cause for panic, wrote Ron Brash, a Verve executive, in the blog post. “GE UR devices are responsible for the safe and reliable creation of energy after all, so their security weaknesses certainly deserve our full attention,” he added.
GE recommends users with impacted firmware versions update their UR devices to UR firmware version 8.10 or greater, to resolve the vulnerabilities. The company advises protecting UR IED by using network defense-in-depth practices. This includes, but is not limited to, placing UR IED inside the control system network security perimeter, and having access controls, monitoring, and other mitigating technologies in place.
Last month, Applied Risk analyzed security vulnerabilities detected in GE Digital’s iFIX HMI/SCADA equipment. The loopholes would allow an authenticated, but unprivileged user, to modify the system-wide iFIX configuration, potentially leading to the arbitrary execution of attacker code. Used for industrial process visualization, monitoring and control, GE’s iFIX is a Human Machine Interface (HMI) product.
Hitachi ABB also identified security vulnerabilities that could potentially affect all versions of its eSOMS products prior to 6.3, using a version of Telerik software, deployed in the critical infrastructure sector. The flaw could allow an attacker to upload malicious files to the server, discover sensitive information, or execute arbitrary code.
The loopholes include path traversal, deserialization of untrusted data, improper input validation, inadequate encryption strength, and insufficiently protected credentials, according to an advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA) on Thursday. The company recommended that users update to eSOMS version 6.3 as soon as possible.
Earlier in the week, an infinite loop security vulnerability was detected in the AFS Series from Hitachi ABB Power Grids that could cause a denial-of-service condition on one of the ports in a High-availability Seamless Redundancy (HSR) ring, typically deployed in the critical infrastructure sector.
The modification in the HSR implementation of the AFS660/AFS665 version 07.0.07 introduced a vulnerability that could allow an unauthenticated, adjacent attacker to cause a denial-of-service on one of the HSR ring ports of the device, Hitachi ABB said in its advisory. To exploit this vulnerability, the attacker would need to have physical access to an affected system node, as they must be inside the network to launch the attack.
HSR is an Ethernet network protocol that ensures high availability and reduces network recovery time and, therefore, the transmission to “zero,” providing seamless failover against failure of any single network component.
Hitachi ABB Power Grids advised users to update products with available updates, as that helps remove the vulnerability by modifying the way the switch processes HSR frames. The Swiss company had in January reported improper authentication in its FOX615 Multiservice-Multiplexer power grids that could allow an attacker to remotely access the device without authentication.
The CISA also warned users of the presence of a cross-site scripting vulnerability in Advantech’s WebAccess/SCADA equipment used in the critical infrastructure sector. Exploitation of the vulnerability enables an unauthorized user to steal a user’s cookie/session token or redirect an authorized user to a malicious webpage.
The Taiwanese company advised users to update to version 9.0.1 or later of the WebAccess/SCADA equipment.