CVE-2017-7905 – This CVE describes a weak cryptography vulnerab... (How to Fix)

Q: What is the severity of CVE-2017-7905?

CVE-2017-7905 has a CVSS score of 9.8 (CRITICAL). This CVE describes a weak cryptography vulnerability in GE Multilin protection relays where user passwords are encrypted using a non-random initialization vector, making them susceptible to dictionary attacks. Attackers can obtain password ciphertext from the front LCD panel or via Modbus commands. Affected systems include multiple GE Multilin relay models with specific firmware versions.

📋 TL;DR

This CVE describes a weak cryptography vulnerability in GE Multilin protection relays where user passwords are encrypted using a non-random initialization vector, making them susceptible to dictionary attacks. Attackers can obtain password ciphertext from the front LCD panel or via Modbus commands. Affected systems include multiple GE Multilin relay models with specific firmware versions.

💻 Affected Systems

Products:

GE Multilin SR 750 Feeder Protection Relay
GE Multilin SR 760 Feeder Protection Relay
GE Multilin SR 469 Motor Protection Relay
GE Multilin SR 489 Generator Protection Relay
GE Multilin SR 745 Transformer Protection Relay
GE Multilin SR 369 Motor Protection Relay
Multilin Universal Relay
Multilin URplus (D90, C90, B95)

Versions: See firmware versions in CVE description

Operating Systems: Embedded relay firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All affected products are vulnerable in default configuration. Physical access to LCD panel or network access to Modbus interface required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could decrypt passwords, gain administrative access to protection relays, and potentially disrupt critical industrial operations or cause physical damage by manipulating relay settings.

🟠

Likely Case

Attackers with physical or network access could obtain password ciphertext and perform offline dictionary attacks to gain unauthorized access to relay configuration interfaces.

🟢

If Mitigated

With proper network segmentation and access controls, attackers would be unable to reach the vulnerable systems or obtain password ciphertext.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires obtaining password ciphertext via physical access to LCD or Modbus commands, then performing dictionary attacks offline.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: SR 750/760: v7.47+, SR 469/745: v5.23+, SR 489: v4.06+, Universal Relay: >v6.0

Vendor Advisory: https://ics-cert.us-cert.gov/advisories/ICSA-17-117-01A

Restart Required: Yes

Instructions:

1. Download firmware updates from GE Grid Solutions. 2. Follow GE's firmware update procedures for each relay model. 3. Verify successful update and reconfigure passwords.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected relays in separate network segments with strict access controls

Physical Security Controls

all

Restrict physical access to relay LCD panels and control cabinets

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to block unauthorized Modbus access
Change all passwords to complex, non-dictionary phrases and monitor for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check firmware version via relay interface or Modbus commands and compare against patched versions listed in advisory

Check Version:

Use relay front panel interface or Modbus commands specific to each relay model (consult GE documentation)

Verify Fix Applied:

Verify firmware version is updated to patched version and test password encryption behavior

📡 Detection & Monitoring

Log Indicators:

Unusual Modbus traffic patterns
Multiple failed authentication attempts
Unauthorized configuration changes

Network Indicators:

Modbus traffic from unexpected sources
Password-related queries via Modbus

SIEM Query:

source_port=502 AND (function_code=3 OR function_code=6) AND NOT src_ip IN [authorized_ips]

📊 Metadata

CVE ID: CVE-2017-7905

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-261

Published: June 30, 2017

Last Updated: April 20, 2025

🔗 References

http://www.securityfocus.com/bid/98063 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-17-117-01A Patch,Third Party Advisory,US Government Resource
http://www.securityfocus.com/bid/98063 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-17-117-01A Patch,Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-7905, you might also want to check these: