CVE-2017-7905

A Weak Cryptography for Passwords issue was discovered in General Electric (GE) Multilin SR 750 Feeder Protection Relay, firmware versions prior to Version 7.47; SR 760 Feeder Protection Relay, firmware versions prior to Version 7.47; SR 469 Motor Protection Relay, firmware versions prior to Version 5.23; SR 489 Generator Protection Relay, firmware versions prior to Version 4.06; SR 745 Transformer Protection Relay, firmware versions prior to Version 5.23; SR 369 Motor Protection Relay, all firmware versions; Multilin Universal Relay, firmware Version 6.0 and prior versions; and Multilin URplus (D90, C90, B95), all versions. Ciphertext versions of user passwords were created with a non-random initialization vector leaving them susceptible to dictionary attacks. Ciphertext of user passwords can be obtained from the front LCD panel of affected products and through issued Modbus commands.

CVSS v3 9.8 CRITICAL
CVSS v2.0 5.0 MEDIUM

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www.securityfocus.com/bid/98063	Third Party Advisory VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-17-117-01A	Patch Third Party Advisory US Government Resource
http://www.securityfocus.com/bid/98063	Third Party Advisory VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-17-117-01A	Patch Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:ge:multilin_sr_750_feeder_protection_relay_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ge:multilin_sr_750_feeder_protection_relay:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:ge:multilin_sr_760_feeder_protection_relay_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ge:multilin_sr_760_feeder_protection_relay:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:ge:multilin_sr_469_motor_protection_relay_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ge:multilin_sr_469_motor_protection_relay:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:ge:multilin_sr_489_generator_protection_relay_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ge:multilin_sr_489_generator_protection_relay:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:ge:multilin_sr_745_transformer_protection_relay_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ge:multilin_sr_745_transformer_protection_relay:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:ge:multilin_sr_369_motor_protection_relay_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ge:multilin_sr_369_motor_protection_relay:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:o:ge:multilin_universal_relay_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ge:multilin_universal_relay:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

cpe:2.3:o:ge:multilin_urplus_d90_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ge:multilin_urplus_d90:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND

cpe:2.3:o:ge:multilin_urplus_c90_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ge:multilin_urplus_c90:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND

cpe:2.3:o:ge:multilin_urplus_b95_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ge:multilin_urplus_b95:-:*:*:*:*:*:*:*

History

21 Nov 2024, 03:32

Type	Values Removed	Values Added
References	~~() http://www.securityfocus.com/bid/98063 - Third Party Advisory, VDB Entry~~	() http://www.securityfocus.com/bid/98063 - Third Party Advisory, VDB Entry
References	~~() https://ics-cert.us-cert.gov/advisories/ICSA-17-117-01A - Patch, Third Party Advisory, US Government Resource~~	() https://ics-cert.us-cert.gov/advisories/ICSA-17-117-01A - Patch, Third Party Advisory, US Government Resource

Information

Published : 2017-06-30 03:29

Updated : 2024-11-21 03:32

NVD link : CVE-2017-7905

Mitre link : CVE-2017-7905

CVE.ORG link : CVE-2017-7905

JSON object : View

Products Affected

multilin_urplus_c90
multilin_urplus_b95
multilin_sr_369_motor_protection_relay
multilin_sr_750_feeder_protection_relay_firmware
multilin_sr_469_motor_protection_relay_firmware
multilin_sr_489_generator_protection_relay_firmware
multilin_urplus_b95_firmware
multilin_universal_relay
multilin_urplus_d90_firmware
multilin_sr_745_transformer_protection_relay
multilin_universal_relay_firmware
multilin_sr_760_feeder_protection_relay
multilin_sr_469_motor_protection_relay
multilin_sr_745_transformer_protection_relay_firmware
multilin_sr_489_generator_protection_relay
multilin_sr_750_feeder_protection_relay
multilin_sr_369_motor_protection_relay_firmware
multilin_urplus_d90
multilin_sr_760_feeder_protection_relay_firmware
multilin_urplus_c90_firmware

CWE

CWE-261

Weak Encoding for Password

CWE-326

Inadequate Encryption Strength

CWE-330

Use of Insufficiently Random Values

CWE-522

Insufficiently Protected Credentials

9.8 /10