Full Report
An improper input validation vulnerability has been identified in the Nari PCS-9611 protection relay. Although an exploit for the vulnerability exists, the vendor has so far not commented on the problem.
Analysis Summary
# Vulnerability: Improper Input Validation in Nari PCS-9611 Protection Relay
## CVE Details
- **CVE ID:** CVE-2018-6395
- **CVSS Score:** 7.5 (High)
- **CWE:** CWE-20 (Improper Input Validation)
## Affected Systems
- **Products:** Nari Technology PCS-9611 Protection Relay (Feeder Management Relay).
- **Versions:** All versions prior to the latest (unspecified) updates; specifically identified in firmware versions current as of Jan 2018.
- **Configurations:** Devices connected via Ethernet interfaces utilizing the management/communication protocols.
## Vulnerability Description
The Nari PCS-9611 relay contains an improper input validation vulnerability within its communication interface. The device fails to properly sanitize or validate incoming data packets, which can allow an attacker to send specially crafted packets to the device. This lack of validation can lead to an internal processing error, resulting in a Denial of Service (DoS) condition or potential remote code execution.
## Exploitation
- **Status:** PoC available / Exploitation reported (Based on identified exploit presence).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** None/Low (Dependent on exploit vector)
- **Integrity:** High (Potential for unauthorized configuration changes)
- **Availability:** High (Device may crash or reboot, disrupting power system protection functions)
## Remediation
### Patches
- **Status:** No official patch has been publicly confirmed by the vendor (Nari Technology) specifically addressing this CVE as of the reporting date. Users are advised to contact the vendor directly for updated firmware.
### Workarounds
- **Network Segmentation:** Isolate the PCS-9611 relays on a dedicated security zone (ICCP/Control network) that is not accessible from the corporate LAN or the Internet.
- **Access Control Lists (ACLs):** Implement strict firewall rules to allow traffic only from authorized Engineering Workstations (EWS) or SCADA servers.
- **Disable Unnecessary Services:** Turn off any unused communication protocols or management ports on the relay.
## Detection
- **Indicators of Compromise:** Unexpected device reboots, loss of communication with the SCADA system, or logs indicating malformed packet errors.
- **Detection Methods:** Monitor network traffic for unusual or malformed industrial protocol packets directed at the relay's IP address. Use ICS-aware IDS/IPS signatures looking for CVE-2018-6395 patterns.
## References
- **Vendor Advisory:** hxxp[://]www[.]nari-relays[.]com/ (No direct advisory issued at time of publication)
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/publications/vulnerability-reports/2018/01/29/vulnerability-in-nari-pcs-9611-relays/
- **NVD:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2018-6395