GE Hydran M2 Predictable TCP Initial Sequence Vulnerability
ICSA： ICS Advisory (ICSA-15-041-02)
This advisory was originally posted to the US-CERT secure Portal library on February 10, 2015, and is being released to the NCCIC/ICS-CERT web site.
Raheem Beyah, David Formby, and San Shin Jung of Georgia Tech, via a research project partially sponsored by the Georgia Tech National Electric Energy Testing Research and Applications Center, identified a predictable TCP sequence vulnerability in GE Digital Energy’s Hydran M2 device, containing the 17046 Ethernet option. The vulnerability has been eliminated from products released after October 2014.
This vulnerability could be exploited remotely.
The following GE Digital Energy products are affected:
• Hydran M2, containing the 17046 Ethernet option, released prior to October 2014.
Successful exploitation of this vulnerability could result in the manipulation or spoofing of TCP connections, which could result in a denial-of-service condition for the Hydran M2 device or transmission of inaccurate data regarding developing fault conditions in transformers.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.
GE Digital Energy is a US-based company that maintains offices in several countries around the world.
The affected product, Hydran M2, is an online transformer monitoring device that provides alerts to personnel of developing fault conditions by analyzing the composite value of various gases and oil moisture levels. According to GE Digital Energy, the Hydran M2 is primarily deployed across the Energy sector. GE Digital Energy estimates that these products are used globally.
PREDICTABLE VALUE RANGE FROM PREVIOUS VALUESa
The GE Hydran M2 generates predictable TCP initial sequence numbers that may allow an attacker to predict the correct TCP initial sequence numbers and send counterfeit packets, which if configured correctly, could appear to originate from the Hydran M2.
This vulnerability could be exploited remotely.
EXISTENCE OF EXPLOIT
No known public exploits specifically target this vulnerability.
An attacker with low skill would be able to exploit this vulnerability.
GE Digital Energy has released a new version of the Ethernet option, which resolves the identified vulnerability in newly released Hydran M2 devices. The update changes the sequence algorithm, which makes it improbable that a TCP sequence attack could succeed. The version of Ethernet card that implements this improvement is 94450214LFMT100SEM-L.R3-CL.
There is no method to update Hydran M2 devices released prior to October 2014. GE Digital Energy recommends that utilities using older versions of the Hydran M2 device implement network security defensive measures, to include the following:
• Place the Hydran M2 inside the control system network security perimeter with access controls and monitoring.
• Minimize network exposure to all other control system devices. Control system devices should not directly face the Internet or business networks.
• Locate control system networks and devices behind properly configured firewalls, and isolate them from the business network.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
GE Digital Energy’s Product Bulletin is available in at the following location, with a user account:
ICS-CERT provides a section for control systems security recommended practices on the ICS‑CERT web page at: http://ics-cert.us-cert.gov/content/recommended-practices. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site (http://ics-cert.us-cert.gov/).
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
- a. CWE-343: Predictable Value Range from Previous Values, http://cwe.mitre.org/data/definitions/343.html, web site last accessed March 10, 2015.
- b. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5409, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.
- c. CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:P, web site last accessed March 10, 2015.