Universal Relay devices are used to simplify power management in critical infrastructure assets

GE patches serious vulnerabilities in UR power management devices for utility, energy companies

General Electric (GE) has patched a number of potentially serious security vulnerabilities in its Universal Relay (UR) family of protection and control devices.

Attackers who successfully exploit the flaws could “access sensitive information, reboot the UR, gain privileged access, or cause a denial-of-service condition”, according to a security advisory published by the US Cybersecurity and Infrastructure Security Agency (CISA) this week.

Threat to critical assets

The affected products, which are produced by GE’s Grid Solutions division, are used in critical infrastructure sectors worldwide like energy, manufacturing, healthcare, and transportation to simplify “power management for the protection of critical assets”.

Although CISA described the flaws as being remotely exploitable by attackers with a “low skill level”, one of the security researchers who uncovered the vulnerabilities said exploitation “at scale” would “require a great level of skill, budget, and organization”.

Speaking to The Daily Swig, Ron Brash, director of cybersecurity insights at Verve Industrial, also pointed out that “direct access to these systems or a network that can access them is required”.

However, he added: “Generally these devices are not found on the internet directly unless someone has not applied any secure deployment strategies, or has inadvertently misconfigured various network infrastructure devices/security apparatuses.”

Read more of the latest critical infrastructure security news

But “if you can get access to these devices, and upload your own logic or firmware, then you can effectively brick them, upload malicious functionality, and the consequences will be highly negative.”

However, a GE spokesperson told The Daily Swig that, “to date, GE has not been notified of any exploits of the reported vulnerabilities.”

UR running insecure firmware

CISA describes the critical vulnerability (CVSS score 9.8) as arising from the “UR IED with ‘Basic’ security variant” not allowing “the disabling of the ‘Factory Mode’”.

The issue (CVE-2021-27426) is classified as insecure default variable initialization, meaning an internal variable is initialized with an insecure value by default, potentially exposing sensitive data or system information to modification.

Assigned the second highest CVSS of 8.4, another, high risk flaw (CVE-2021-27430) related to unused hardcoded credentials in the bootloader binary.

Ron Brash, who discovered the vulnerability, said: “The credentials were visible in the firmware in cleartext. It also leaked the version, other available functionality, and if fuzzed, it could be interrupted or be made to behave unreliably.”

Another high severity flaw (tracked as CVE-2021-27428 and with a CVSS score of 7.5), also uncovered by Brash, means an unauthorized user could upgrade firmware without appropriate privileges.

“Physical access or access to the device via a network helps, but we were able to push a tampered image to the device,” said Brash.

The other two high risk bugs related to inadequate SSH encryption and potential sensitive information exposure through running a web interface over HTTP.

A further four flaws were deemed medium risk.

Firmware fix, mitigations

Affected UR models include: B30, B90, C30, C60, C70, C95, D30, D60, F35, F60, G30, G60, L30, L60, L90, M60, N60, T35, and T60.

Brash said Verve Industrial submitted details of the flaws to GE in July 2020. UR firmware version 8.10, which addressed all of the flaws, landed on December 24 2020.

Catch up on the latest hardware security news

A GE spokesperson said that the company “immediately worked to assess any potential impact and remediate the reported vulnerabilities” upon receiving the reports.

“We encourage our customers to visit the Grid Solutions customer portal and/or the CISA advisory for additional information and mitigation recommendations,” the vendor added.

SCADA-X, VuMetric, and the US Department of Energy’s CyTRICS program were also involved in finding, analyzing, and reporting the vulnerabilities.

Salutary reminder

“The advisory is a reminder that the latest programming fads such as sprints, to use open source everywhere, or by abstracting needlessly away from hardware will not absolve humankind from logic, requirements, and flaws that sneak by the narrow scope of most companies’ testing,” said Brash.

“As devices and software continue to advance, new layers of functionality and integrations will be added”, and inevitable security degradation over time across “multiple components will equate to multiple high-risk entry points for a malicious party.”

Moreover, “a lack of signed firmware will allow malicious parties to insert their own code onto your device – especially if it’s not verified by the receiver.”

Brash envisages that vendors might “start completely encrypting images” to validate a device’s integrity, although this will create “key management complexities” and “hinder “derived SBoM creation”.

RECOMMENDED Measuring risk: Organizations urged to choose defense-in-depth over CVE whack-a-mole