GE created new firmware to mitigate a stack-based buffer overflow and improper restriction of operations within the bounds of a memory buffer vulnerabilities in its D60 Line Distance Relay, according to a report with ICS-CERT.
D60 devices running firmware Version 7.11 and prior suffer from the remotely exploitable vulnerabilities, discovered by Kirill Nesterov of Kaspersky Labs.
Successful exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code on the device.
No known exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
Multiple stack-based buffer overflow vulnerabilities have been identified, which may allow remote code execution.
CVE-2018-5475 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
In addition, the SSH functions of the device are vulnerable to buffer overflow conditions that may allow a remote attacker to execute arbitrary code on the device.
CVE-2018-5473 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
The product sees use mainly in the energy sector. It also sees action on a global basis.
GE released firmware that addresses the vulnerabilities.
Authentication will be required to download the firmware.