For users running GE Digital Energy’s Hydran M2 device, containing the 17046 Ethernet option purchased before October 2014, there is a predictable TCP sequence vulnerability, according to a report on ICS-CERT. After October 2014, the vulnerability ended up eliminated from products.
Hydran M2, containing the 17046 Ethernet option, released prior to October 2014 suffers from the remotely exploitable issue.
Raheem Beyah, David Formby, and San Shin Jung of Georgia Tech, via a research project partially sponsored by the Georgia Tech National Electric Energy Testing Research and Applications Center, discovered the vulnerability.
Successful exploitation of this vulnerability could result in the manipulation or spoofing of TCP connections, which could result in a denial-of-service (DoS) condition for the Hydran M2 device or transmission of inaccurate data regarding developing fault conditions in transformers.
GE Digital Energy is a U.S.-based company that maintains offices in several countries around the world.
The affected product, Hydran M2, is an online transformer monitoring device that provides alerts to personnel of developing fault conditions by analyzing the composite value of various gases and oil moisture levels. According to GE Digital Energy, the Hydran M2 primarily sees action across the energy sector. GE Digital Energy said these products see use globally.
The GE Hydran M2 generates predictable TCP initial sequence numbers that may allow an attacker to predict the correct TCP initial sequence numbers and send counterfeit packets, which if configured correctly, could appear to originate from the Hydran M2.
CVE-2014-5409 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 6.4.
No known public exploits specifically target this vulnerability. An attacker with low skill would be able to exploit this vulnerability.
GE Digital Energy has released a new version of the Ethernet option, which resolves the identified vulnerability in newly released Hydran M2 devices. The update changes the sequence algorithm, which makes it improbable that a TCP sequence attack could succeed. The version of Ethernet card that implements this improvement is 94450214LFMT100SEM-L.R3-CL.
There is no method to update Hydran M2 devices released prior to October 2014. GE Digital Energy recommends utilities using older versions of the Hydran M2 device implement network security defensive measures, including:
• Place the Hydran M2 inside the control system network security perimeter with access controls and monitoring
• Minimize network exposure to all other control system devices. Control system devices should not directly face the Internet or business networks
• Locate control system networks and devices behind properly configured firewalls, and isolate them from the business network
• When remote access ends up required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and be the most current version available. Also recognize that VPN is only as secure as the connected devices.
Click here to view GE Digital Energy’s Product Bulletin.