SB2021031711 - Multiple vulnerabilities in GE UR family
Published: March 17, 2021
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2021-27422)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the web server interface is supported on UR over HTTP protocol. A remote attacker can gain unauthorized access to sensitive information on the system.
2) Cross-site scripting (CVE-ID: CVE-2021-27418)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
3) Input validation error (CVE-ID: CVE-2021-27420)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the UR Firmware web server task does not properly handle receipt of unsupported HTTP verbst. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
4) Arbitrary file upload (CVE-ID: CVE-2021-27428)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to the UR Setup tool validates the authenticity and integrity of firmware file before uploading the UR IED. A remote attacker can upgrade firmware without appropriate privileges.
5) Insecure Default Variable Initialization (CVE-ID: CVE-2021-27426)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the UR IED with “Basic” security variant does not allow the disabling of the “Factory Mode", which is used for servicing the IED by a “Factory” user. A remote attacker who can execute arbitrary code on the system.
Note: This vulnerability affects the following versions of Provisions to disable Factory Mode:
- all firmware versions prior to 8.1x with basic security option
6) Information disclosure (CVE-ID: CVE-2021-27424)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the UR shares MODBUS memory map as part of the communications guide. A remote attacker can gain unauthorized access to sensitive information on the system.
Note: This vulnerability affects the following versions of Access to “Last-key pressed” register:
- all firmware versions prior to 8.1x with basic security option
7) Use of hard-coded credentials (CVE-ID: CVE-2021-27430)
The vulnerability allows a local attacker to gain full access to vulnerable system.
The vulnerability exists due to presence of hard-coded credentials in application code. A local attacker can interrupt the boot sequence by rebooting the UR.
Remediation
Install update from vendor's website.