The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned of critical security shortcomings in GE’s Universal Relay (UR) family of power management devices.
“Successful exploitation of these vulnerabilities could allow an attacker to access sensitive information, reboot the UR, gain privileged access, or cause a denial-of-service condition,” the agency said in an advisory published on March 16.
GE’s universal relays enable integrated monitoring and metering, high-speed communications, and offer simplified power management for the protection of critical assets.
The flaws, which affect a number of UR advanced protection and control relays, including B30, B90, C30, C60, C70, C95, D30, D60, F35, F60, G30, G60, L30, L60, L90, M60, N60, T35 and T60, were addressed by GE with the release of an updated version of the UR firmware (version 8.10) made available on December 24, 2020.
The patches resolve a total of nine vulnerabilities, the most important of which concerns an insecure default variable initialization, referring to the initialization of an internal variable in the software with an insecure value. The vulnerability (CVE-2021-27426) is also rated 9.8 out of 10, making it a critical issue.
images from Hacker News