PT-2017-17984 · General Electric+1 · Multilin Universal Relay+8

Published

2017-06-30

·

Updated

2019-10-09

·

CVE-2017-7905

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions General Electric (GE) Multilin SR 750 Feeder Protection Relay versions prior to 7.47 General Electric (GE) Multilin SR 760 Feeder Protection Relay versions prior to 7.47 General Electric (GE) Multilin SR 469 Motor Protection Relay versions prior to 5.23 General Electric (GE) Multilin SR 489 Generator Protection Relay versions prior to 4.06 General Electric (GE) Multilin SR 745 Transformer Protection Relay versions prior to 5.23 General Electric (GE) Multilin SR 369 Motor Protection Relay all versions General Electric (GE) Multilin Universal Relay versions prior to 6.0 and including 6.0 General Electric (GE) Multilin URplus (D90, C90, B95) all versions
Description A Weak Cryptography for Passwords issue was discovered, where ciphertext versions of user passwords were created with a non-random initialization vector, leaving them susceptible to dictionary attacks. The ciphertext of user passwords can be obtained from the front LCD panel of affected products and through issued Modbus commands.
Recommendations For General Electric (GE) Multilin SR 750 Feeder Protection Relay versions prior to 7.47, update to version 7.47 or later. For General Electric (GE) Multilin SR 760 Feeder Protection Relay versions prior to 7.47, update to version 7.47 or later. For General Electric (GE) Multilin SR 469 Motor Protection Relay versions prior to 5.23, update to version 5.23 or later. For General Electric (GE) Multilin SR 489 Generator Protection Relay versions prior to 4.06, update to version 4.06 or later. For General Electric (GE) Multilin SR 745 Transformer Protection Relay versions prior to 5.23, update to version 5.23 or later. For General Electric (GE) Multilin SR 369 Motor Protection Relay, contact the manufacturer for a fix as all versions are affected. For General Electric (GE) Multilin Universal Relay versions prior to 6.0 and including 6.0, update to a version later than 6.0. For General Electric (GE) Multilin URplus (D90, C90, B95), contact the manufacturer for a fix as all versions are affected.

Fix

Insufficiently Protected Credentials

Inadequate Encryption Strength

Use of Insufficiently Random Values

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-522CWE-326CWE-261CWE-330

Related Identifiers

CVE-2017-7905

Affected Products

Modbus
Multilin Sr 369 Motor Protection Relay
Multilin Sr 469 Motor Protection Relay
Multilin Sr 489 Generator Protection Relay
Multilin Sr 745 Transformer Protection Relay
Multilin Sr 750 Feeder Protection Relay
Multilin Sr 760 Feeder Protection Relay
Multilin Urplus
Multilin Universal Relay