CVE-2017-7928
📋 TL;DR
This vulnerability in Schweitzer Engineering Laboratories security gateways allows unauthorized communications to downstream devices when configured for NAT port forwarding. It affects SEL-3620 and SEL-3622 Security Gateway devices running vulnerable firmware versions, potentially exposing industrial control systems to external attacks.
💻 Affected Systems
- SEL-3620 Security Gateway
- SEL-3622 Security Gateway
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass all network security controls and directly access critical industrial control systems, potentially causing physical damage, operational disruption, or safety incidents.
Likely Case
Unauthorized access to downstream industrial control devices, allowing attackers to monitor, modify, or disrupt industrial processes.
If Mitigated
With proper network segmentation and access controls, impact would be limited to isolated network segments.
🎯 Exploit Status
Exploitation requires network access to the vulnerable device and knowledge of NAT port forwarding configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: R204-V2 and later
Vendor Advisory: https://ics-cert.us-cert.gov/advisories/ICSA-17-192-06
Restart Required: Yes
Instructions:
1. Download firmware version R204-V2 or later from SEL website. 2. Backup current configuration. 3. Upload new firmware via web interface or console. 4. Reboot device. 5. Restore configuration if needed.
🔧 Temporary Workarounds
Disable NAT Port Forwarding
allRemove or disable NAT port forwarding configurations on affected devices
Access device web interface > NAT Configuration > Remove all port forwarding rules
Network Segmentation
allIsolate affected devices behind additional firewalls with strict access controls
🧯 If You Can't Patch
- Implement strict network access controls to limit traffic to affected devices
- Monitor network traffic for unauthorized access attempts to downstream systems
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface: System > About. If version is R202, R203, R203-V1, R203-V2, R204, or R204-V1, device is vulnerable when NAT port forwarding is enabled.Check Version:
ssh admin@device-ip 'show version' or check web interface System > About pageVerify Fix Applied:
Verify firmware version is R204-V2 or later and confirm NAT port forwarding rules are properly enforced.📡 Detection & Monitoring
Log Indicators:
- Unauthorized connection attempts to downstream IPs
- Unexpected NAT table entries
- Port forwarding rule violations
Network Indicators:
- Unexpected traffic patterns to downstream devices
- Port scans targeting forwarded ports
- Traffic bypassing expected security controls
SIEM Query:
source_ip IN (external_ips) AND dest_ip IN (downstream_ips) AND NOT source_ip IN (authorized_ips)