安全专家发现GE Multilin SR的一个关键漏洞对全球电网构成严重威胁。

A team of researchers from New York University has found a serious vulnerability in some of GE Multilin SR protection relays that poses a serious threat to power grid.

来自纽约大学的一组研究人员发现一些GE Multilin SR保护继电器存在严重的漏洞,对电网构成严重威胁。

The experts will provide further details about the vulnerability at the upcoming Black Hat conference in Las Vegas, below an excerpt from the abstract published on the conference website.

专家将在拉斯维加斯即将举行的黑帽会议上提供有关脆弱性的进一步细节,下面摘自 会议网站上发表的  摘要

“Essentially, we completely broke the homebrew encryption algorithm used by these protection and management devices to authenticate users and allow privileged operations,” explained the experts in their abstract. “Knowledge of the passcode enables an attacker to completely pwn the device and disconnect sectors of the power grid at will, locking operators out to prolong the attack.”


The experts will propose also a live demo showcasing exploitation of the vulnerability during their talk anticipating that an attack leveraging on the issue would have a significant impact on a nation.


The ICS-CERT published a security advisory on this threat that was tracked as CVE-2017-7095.


An attacker can obtain the password either from the front LCD panel or via Modbus commands and use it to gain unauthorized access to vulnerable products.


“Successful exploitation of this vulnerability may allow a remote attacker to obtain weakly encrypted user passwords, which could be used to gain unauthorized access to affected products.” reads the advisory. 

“此漏洞的成功利用可允许远程攻击者获得弱加密用户密码,其可用于获得对受影响的产品的未授权访问。” 读取的咨询。 

Cipher text versions of user passwords were created with a non-random initialization vector leaving them susceptible to dictionary attacks. Cipher text of user passwords can be obtained from the front LCD panel of affected products and through issued Modbus commands.”


The following versions of GE Multilin SR relays are affected by the flaw:

以下版本的GE Multilin SR继电器受到漏洞的影响:

  • 750 Feeder Protection Relay, firmware versions prior to Version 7.47,
  • 760 Feeder Protection Relay, firmware versions prior to Version 7.47,
  • 469 Motor Protection Relay, firmware versions prior to Version 5.23,
  • 489 Generator Protection Relay, firmware versions prior to Version 4.06,
  • 745 Transformer Protection Relay, firmware versions prior to Version 5.23, and
  • 369 Motor Protection Relay, all firmware versions.
  1. 750馈线保护继电器,版本7.47之前的固件版本,
  2. 760馈线保护继电器,版本7.47之前的固件版本,
  3. 469电机保护继电器,版本5.23之前的固件版本,
  4. 489发电机保护继电器,版本4.06之前的固件版本,
  5. 745变压器保护继电器,版本5.23之前的固件版本
  6. 369电机保护继电器,所有固件版本。

GE has promptly released firmware updates that fix the vulnerability for most of the above products. The firmware updates for 369 Motor Protection Relays are expected to be released in June.


To mitigate the vulnerability GE recommends that users apply updated firmware versions to affected products, as well as implement the following best practices:


  • Control access to affected products by keeping devices in a locked and secure environment,
  • Remove passwords when decommissioning devices,
  • Monitor and block malicious network activity, and
  • Implement appropriate network segmentation and place affected devices within the control system network, behind properly configured firewalls. Protection and Control system devices should not be directly connected to the Internet or business networks.
  1. 通过将设备保持在锁定和安全的环境中来控制受影响产品的访问,
  2. 退役设备时删除密码,
  3. 监控和阻止恶意网络活动,以及
  4. 实施适当的网络分段,并将受影响的设备置于控制系统网络内,并正确配置防火墙。保护和控制系统设备不应直接连接到互联网或商业网络。

While the recent disruptions to Ukraine’s energy supply have clearly demonstrated that attacks on the power grid are a reality, it’s not uncommon for cybersecurity researchers to exaggerate the impact of their findings. It remains to be seen exactly how easily this flaw can be exploited after more information is made available.


posted @ 2017-04-30 23:50  HacTF  阅读(272)  评论(0编辑  收藏  举报