GE Universal Relay family of devices has been detected to be holding severe security vulnerabilities as is notified by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

GE Universal Relay devices and their vulnerabilities:

To the unaware, the GE’s Universal Relay devices and systems supply integrated monitoring and metering, high-speed communications, and offer simplified power management for the protection of critical assets.

Analysis of the security vulnerabilities in GE Universal Relay devices put forth that accomplished exploitation of these vulnerabilities can facilitate malicious actors to gain access to sensitive data, reboot the Universal Relay devices, obtain privileged access or enable a DOS i.e denial-of-service attack.

In the report published by CISA, it was found that the security vulnerabilities that compromised these Universal Relay devices included the devices like the B30, B90, C30, C60, C70, C95, D30, D60, F35, F60, G30, G60, L30, L60, L90, M60, N60, T35, and T60.

Deploying fixes for GE’s Universal Relays:

These vulnerabilities had been seemingly addressed by GE in an update released for the Universal Relay firmware that was made available back in December 2020.

In the security patches deployed in the update, an aggregate of nine vulnerabilities were resolved.

One of the most significant vulnerabilities that were patched in the update concerns an insecure default variable initialization, referring to the initialization of an internal variable in the software with an insecure value. The vulnerability (CVE-2021-27426) is also rated 9.8 out of 10, making it a critical issue.

Reportedly, a malicious actor could exploit this vulnerability by transmitting a custom-built request to bypass access restrictions.

Another severe vulnerability, tracked as CVE-2021-27430, is a consequence of unused hard-coded credentials in the bootloader binary that could be potentially exploited by malicious actors.

Also fixed by GE is another high severity flaw (CVE-2021-27428) that could permit an unauthorized user to upgrade firmware without appropriate privileges.

Amongst the remaining four vulnerabilities, two of those were concluded as improper input validations, and the other two, a result of exposure of sensitive information to unauthorized users.

These vulnerabilities could potentially compromise GE Universal Relay devices by exposing them to cross-site scripting attacks, enabling malicious actors to access critical data without authentication, and even render the webserver unresponsive.

Concluding, all versions of GE Universal Relay firmware preceding 8.1x have been detected to be implementing poor encryption and MAC algorithms for SSH communications, which could lead to severe brute force attack scenarios.

“CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities,” the agency said. “Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet, [and] locate control system networks and remote devices behind firewalls and isolate them from the business network.”