The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is warning of critical-severity security flaws in GE’s Universal Relay (UR) family of power management devices.
GE’s UR devices are the “basis of simplified power management for the protection of critical assets,” according to the company. These are computing devices that allow users to control the amount of electrical power consumed by various device. The UR devices allow the underlying devices to switch into various power modes (each having various power usage characteristics). GE has issued patches for the following affected UR device families: B30, B90, C30, C60, C70, C95, D30, D60, F35, F60, G30, G60, L30, L60, L90, M60, N60, T35 and T60.
CISA warned that if not updated, the affected products could be exploited to allow an attacker to access sensitive information, reboot the UR, gain privileged access, or cause a denial-of-service condition.
Given that the devices control the flow and direction of electrical power, the impact of these flaws is heightened: “GE strongly recommends users with impacted firmware versions update their UR devices to UR firmware Version 8.10, or greater to resolve these vulnerabilities,” according to CISA’s alert last week.
GE Security Flaws
Overall, nine vulnerabilities were patched across the affected devices. The most serious of the these (CVE-2021-27426) has a CVSS score of 9.8 out of 10, making it critical. The flaw stems from insecure default variable initialization. According to an IBM security alert, an affected GE UR family could allow a remote attacker to bypass security restrictions, stemming from insecure default variable initialization in the UR Intelligent Electronic Device (IED) component.
“By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions,” according to IBM. According to GE, the flaw is remotely exploitable and requires a “low skill level to exploit.”
Another high-severity issue (CVE-2021-27430) stems from the fact that the UR bootloader binary in versions 7.00, 7.01 and 7.02 includes hardcoded credentials. According to IBM, a local attacker could exploit this vulnerability to interrupt the boot sequence by rebooting the UR. The flaw ranks 8.4 on the CVSS scale, making it high-severity.
“Additionally, a user with physical access to the UR IED can interrupt the boot sequence by rebooting the UR,” said CISA.
Another high-severity issue (CVE-2021-27422) is that the web server interface for the affected devices are supported on UR over the HTTP protocol – allowing for sensitive information exposure without authentication, said researchers.
Finally, researchers found that a flaw in the web-based UR Setup configuration tool (CVE-2021-27428) of the affected UR families could allow a remote attacker to upload arbitrary files.
“By sending a specially-crafted request, a remote attacker could exploit this vulnerability to upgrade firmware without appropriate privileges,” according to an IBM advisory.
Security Updates: Patch Now
According to reports, the flaws were first found in July – and the UR firmware version addressing the flaws (version 8.10) was pushed out on Dec. 24. SCADA-X, DOE’s Cyber Testing for Resilient Industrial Control Systems (CyTRICS) program, Verve Industrial, and VuMetric reported these flaws to GE.
However, after public disclosure of the flaws last week CISA is now urging end users to update their UR devices. No known public exploits for the vulnerabilities have been discovered yet, noted CISA.
“GE recommends protecting UR IED by using network defense-in-depth practices,” according to CISA’s alert. “This includes, but is not limited to, placing UR IED inside the control system network security perimeter, and having access controls, monitoring (such as an Intrusion Detection System), and other mitigating technologies in place.”
GE has dealt with security issues before. In December, a pair ofcritical vulnerabilities were discovered in dozens of GE Healthcare radiological devices popular in hospitals, which could allow an attacker to gain access to sensitive personal health information (PHI), alter data and even shut the machine’s availability down.
Register for this LIVE Event: 0-Day Disclosures: Good, Bad & Ugly: On Mar. 24 at 2 p.m. ET, Threatpost tackles how vulnerability disclosures can pose a risk to companies. To be discussed, Microsoft 0-days found in Exchange Servers. Join 0-day hunters from Intel Corp. and veteran bug bounty researchers who will untangle the 0-day economy and unpack what’s on the line for all businesses when it comes to the disclosure process. Register NOW for this LIVE webinar on Wed., Mar. 24.