ICS-CERT this week issued an advisory detailing nine critical vulnerabilities affecting GE’s Universal Relay (UR) Family including several that could allow an attacker to access sensitive information, reboot the devices, gain privileged access, or crash the system via denial-of-service.
The vulnerabilities in ICSA-21-075-02 affect GE’s B30, B90, C30, C60, C70, C95, D30, D60, F35, F60, G30, G60, L30, L60, L90, M60, N60, T35, T60 relays and carry an aggregate CVSS score of 9.8. Researchers at Verve Industrial as well as teams from SCADA-X, VuMetric, and the U.S. Department of Energy’s Cyber Testing for Resilient Industrial Control Systems (CyTRICS) program contributed individual discoveries to the multi-part advisory.
Verve researchers found that the GE products in question could allow unrestricted file uploads via the official OEM tool, including unsigned and unvalidated firmware. The Verve team also reported exposure of sensitive information (insecure Modbus functions and non-standard behavior) and the presence of hard-coded credentials in the associated bootloader that could be leveraged by an attacker when interrupting the boot sequence.
Other issues covered in the advisory include inadequate encryption, weaknesses in SSH implementation, use of insecure HTTP, poor input validation, and an inability to disable the devices’ factory service mode.
To mitigate the risks associated with ICSA-21-075-02, GE recommends updating UR devices to firmware Version 8.10 or higher. GE provides additional information on mitigation for registered users in their publication GES-2021-004.
Beyond the OEM’s specific recommendations, when it comes to significant advisories like this, we always recommend a calm, measured approach with a healthy dose of security basics. Some things to keep in mind when vulnerabilities make headlines:
- Similar vulnerabilities are ubiquitous. As we move to more modern IoT/IIoT devices, developers integrating components and bolt-on functionality on top of protocol implementations will continue to make software engineering blunders.
- Bootloader vulnerabilities require local access and power control. Without the ability to cycle device power on and off, an attacker cannot execute the bootloader code.
- Web functionality offers a large attack surface. Owing to the eccentricities of their daemons and programming languages, web-based functions are best left disabled or, at least, sheltered behind multiple firewalls.
- Vulnerable-by-design protocols are not necessarily (vulnerable). If an attacker gets unfettered network access or lands in a privileged position, things can get dicey fast. But neither condition should occur if proper networking segmentation and access controls are in place. Direct remote access should be limited to secure methods such as IPsec VPN.
- The security of protocol implementations, especially for cryptography, degrades over time. Direct access to systems that are slower to be patched, if at all, should be avoided. Still, SSH is far preferable to HTTP-based communications, particularly when you force strong ciphers and prevent downgrading.
- Industrial protocols generally lack strong security features. In the case of the GE UR devices, the “unlock” function leaves passwords intact and accessible. Be mindful of the limitations of security functions and don’t rely on them.
- Assume all devices are vulnerable. Multiple layers of security – from deployment to retirement – are necessary and require effective management and maintenance to retain their risk-reduction qualities.
Advisories such as these are concerning, but no cause for panic. GE UR devices are responsible for the safe and reliable creation of energy after all, so their security weaknesses certainly deserve our full attention. As always, we suggest a balanced and realistic approach to remediation consistent with the vendor’s recommendations.
On top of that, a layered-defense approach goes a long way toward safeguarding any affected organization. Asset owners should always be maintaining accurate, detailed inventories, keeping up with patching and updates, disabling unnecessary functionality, and monitoring for abnormal behavior.
These security fundamentals, coupled with controls on both physical and remote access to systems and devices, constitute an effective first line of protection for OT/ICS environments no matter what new threat is making news on any given day.