CVE-2021-27422
📋 TL;DR
GE UR firmware versions prior to 8.1x expose sensitive information through the web server interface without requiring authentication. This vulnerability affects GE UR series protective relays with unpatched firmware, allowing attackers to access confidential data.
💻 Affected Systems
- GE UR Series Protective Relays
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could obtain sensitive configuration data, operational parameters, or credentials that could facilitate further attacks on critical infrastructure systems.
Likely Case
Unauthenticated access to device information, potentially revealing network configurations and system details that could aid reconnaissance for more targeted attacks.
If Mitigated
With proper network segmentation and access controls, exposure is limited to authorized personnel only.
🎯 Exploit Status
Exploitation requires network access to the device's web interface but no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.1x and later
Vendor Advisory: https://www.gegridsolutions.com/Passport/Login.aspx
Restart Required: Yes
Instructions:
1. Download firmware version 8.1x or later from GE Grid Solutions portal. 2. Follow GE's firmware update procedures for UR series devices. 3. Verify successful update and restart device.
🔧 Temporary Workarounds
Disable HTTP Web Interface
allDisable the HTTP web server interface if not required for operations.
Consult GE UR device configuration manual for web interface disable procedures
Network Segmentation
allIsolate UR devices in protected network segments with strict access controls.
Implement firewall rules to restrict access to UR device IP addresses
🧯 If You Can't Patch
- Implement strict network access controls to limit connections to UR devices
- Monitor network traffic to UR devices for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check firmware version via device web interface or configuration software. If version is below 8.1x, device is vulnerable.Check Version:
Check via UR device web interface or using GE EnerVista softwareVerify Fix Applied:
Confirm firmware version is 8.1x or later and test that unauthenticated access to sensitive information is no longer possible.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated access attempts to UR device web interface
- Multiple failed authentication attempts followed by successful information retrieval
Network Indicators:
- HTTP requests to UR device web interface without authentication headers
- Unusual information gathering patterns from UR device IP addresses
SIEM Query:
source_ip=* AND dest_ip=UR_DEVICE_IP AND http_method=GET AND NOT http_user_agent=* AND response_code=200