10 vulnerabilities in GE relays used in energy, oil and gas industries can cause massive destruction

The Cybersecurity and Infrastructure Security Agency (CISA) has published a report related to the finding of multiple vulnerabilities in the UR family of products, developer by tech firm General Electrics for the control of various industrial environments and tasks. According to the report, successful exploitation of these flaws would allow threat actors to access sensitive information, arbitrarily restart devices, gain privileged access, or cause denial of service (DoS) conditions.

The agency specifies that flaws are present in the following versions of UR products: B30, B90, C30, C60, C70, C95, D30, D60, F35, F60, G30, G60 L30, L60, L90, M60, N60, T35 and T60.

The report points to finding all kinds of security issues, including weaknesses in system encryption, leaks of sensitive information, incorrect validation of entries, and use of hard-code login credentials.

The most serious of these flaws was described as a condition of weak encryption algorithms for firmware versions earlier than 8.1x in UR, which would allow access to potentially sensitive information. This flaw received a score of 7.5/10 on the Common Vulnerability Scoring System (CVSS) scale and was identified as CVE-2016-2183.

Another flaw that poses severe risks to users of affected deployments was identified as CVE-2021-27422 and exists because the web server interface supports the UR over HTTP protocol, allowing the exposure of potentially sensitive information.

Like the previous report, this bug received a CVSS score of 7.5/10.

All other flaws received scores less than 5.5/10, which means that their operating process is very complex or requires too many preconditions, so they are not considered severe flaws.

As a security measure, General Electrics strongly recommends users of affected firmware versions to upgrade their UR devices to UR firmware version 8.10 and above. The company’s official website shows additional details for risk mitigation.

If you cannot upgrade to secure firmware versions, the company recommends that administrators implement the following security measures:

  • Minimize network exposure for all control system devices, as well as making sure they are not accessible over the Internet
  • Identify the control system networks and remote devices behind firewalls and, if necessary, isolate them from the enterprise network

To learn more about computer security risks, malware, vulnerabilities and information technologies, feel free to access the International Cyber Security Institute (IICS) website.