Full Report
Critical vulnerabilities have been identified in General Electric D60 Line Distance Relay devices. The vulnerabilities could allow attackers to execute code on vulnerable systems.
Analysis Summary
# Vulnerability: Multiple Critical Flaws in GE D60 Line Distance Relays
## CVE Details
* **CVE ID:** CVE-2018-5449, CVE-2018-5453, CVE-2018-5457 (Note: These are the primary identifiers associated with the GE UR reporting period)
* **CVSS Score:** 9.8 (Critical)
* **CWE:** CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-20 (Improper Input Validation)
## Affected Systems
* **Products:** General Electric (GE) Multilin D60 Line Distance Relay (Universal Relay family)
* **Versions:** All firmware versions prior to v7.30
* **Configurations:** Devices with web management interfaces enabled and connected to a network.
## Vulnerability Description
The D60 relay contains multiple critical security flaws, primarily centered around a stack-based buffer overflow and insufficient validation of input via the web interface. An attacker can send specially crafted HTTP packets to the device's web server. Because the application does not properly verify the length of the input before copying it to a fixed-size stack buffer, the memory can be overwritten. This allows for the redirection of the execution flow, leading to remote code execution (RCE) at the privilege level of the web service.
## Exploitation
* **Status:** Proof-of-concept (PoC) known to exist in private research circles; no widespread exploitation in the wild at the time of reporting.
* **Complexity:** Low
* **Attack Vector:** Network (Remote)
## Impact
* **Confidentiality:** High (Potential to access device configuration and logs)
* **Integrity:** High (Potential to modify relay logic or protection settings)
* **Availability:** High (Potential to crash the relay or cause unintended tripping/locking of power line protection)
## Remediation
### Patches
* **GE Multilin UR Firmware v7.30 or higher:** GE released updated firmware that addresses these vulnerabilities by improving input validation and memory handling. Users should upgrade all D60 units to the latest stable firmware branch.
### Workarounds
* **Disable Web Interface:** If the web management interface is not required for daily operations, disable it via the front panel or serial connection.
* **Network Segmentation:** Place UR devices on a dedicated, isolated management VLAN with strict access control lists (ACLs).
* **VPN/SSH Tunneling:** If remote access is required, use a secure gateway (VPN) rather than exposing the relay interface directly to the business network.
## Detection
* **Indicators of Compromise:** Unusual HTTP HEAD or POST requests containing long strings of repetitive characters (e.g., "A"s) or non-printable ASCII characters directed at the relay’s IP.
* **Detection Methods:**
* Monitor network traffic for unexpected reboots of the D60 hardware.
* Utilize Intrusion Detection Systems (IDS) with signatures looking for buffer overflow patterns in HTTP traffic targeting ICS/SCADA ports (e.g., Port 80, 443).
## References
* GE Grid Solutions Advisory: hxxp[://]www[.]gegridsolutions[.]com/app/Resources.aspx?prod=d60&type=7
* Kaspersky ICS CERT: hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2018/02/22/vulnerabilities-in-ge-d60-line-distance-relay-devices/
* CISA ICS Advisory (ICSA-18-051-01): hxxps[://]www[.]cisa[.]gov/news-events/ics-advisories/icsa-18-051-01