CVE-2024-46603
📋 TL;DR
An XML External Entity (XXE) vulnerability in Elspec Engineering G5 Digital Fault Recorder firmware allows attackers to cause Denial of Service (DoS) by sending specially crafted XML payloads. This affects organizations using G5 Digital Fault Recorders in power grid monitoring and protection systems. The vulnerability enables attackers to disrupt critical monitoring functions.
💻 Affected Systems
- Elspec Engineering G5 Digital Fault Recorder
📦 What is this software?
G5dfr Firmware by Elspec Ltd
⚠️ Risk & Real-World Impact
Worst Case
Complete disruption of fault recording and monitoring capabilities, potentially masking grid faults and leading to cascading power outages or equipment damage.
Likely Case
Temporary DoS causing loss of monitoring data during critical events, requiring manual intervention to restore functionality.
If Mitigated
Limited impact with proper network segmentation and XML filtering, potentially causing brief service interruptions.
🎯 Exploit Status
Requires knowledge of XXE exploitation techniques and access to the device's XML interface. No public exploit code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for patched version
Vendor Advisory: https://www.elspec-ltd.com/support/security-advisories/
Restart Required: No
Instructions:
1. Visit the vendor security advisory page
2. Download the patched firmware version
3. Follow vendor's firmware update procedure
4. Verify the update was successful
🔧 Temporary Workarounds
Disable XML External Entity Processing
allConfigure XML parser to disable external entity resolution if supported by the device configuration
Network Segmentation
allIsolate G5 Digital Fault Recorders from untrusted networks and restrict XML traffic
🧯 If You Can't Patch
- Implement strict network access controls to limit XML traffic to trusted sources only
- Deploy XML filtering proxies or firewalls to sanitize XML payloads before they reach the device
🔍 How to Verify
Check if Vulnerable:
Check firmware version via device web interface or CLI. If version is v1.2.1.12, the system is vulnerable.Check Version:
Check via device web interface or refer to device documentation for version query commandsVerify Fix Applied:
Verify firmware version has been updated to a patched version as specified in vendor advisory.📡 Detection & Monitoring
Log Indicators:
- Unusual XML parsing errors
- Device restart logs following XML processing
- Increased XML traffic to device
Network Indicators:
- XML payloads with DOCTYPE declarations or external entity references sent to device
- Unusual traffic patterns to device XML endpoints
SIEM Query:
source="g5-fault-recorder" AND (message="XML parse error" OR message="entity resolution")