U.S. Flag Official website of the Department of Homeland Security
U.S. Department of Homeland Security Seal. ICS-CERT. Industrial Control Systems Cyber Emergency Response Team.

Advisory (ICSA-15-041-02)

GE Hydran M2 Predictable TCP Initial Sequence Vulnerability

Original release date: March 10, 2015

Legal Notice

All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.



OVERVIEW

This advisory was originally posted to the US-CERT secure Portal library on February 10, 2015, and is being released to the NCCIC/ICS-CERT web site.

Raheem Beyah, David Formby, and San Shin Jung of Georgia Tech, via a research project partially sponsored by the Georgia Tech National Electric Energy Testing Research and Applications Center, identified a predictable TCP sequence vulnerability in GE Digital Energy’s Hydran M2 device, containing the 17046 Ethernet option. The vulnerability has been eliminated from products released after October 2014.

This vulnerability could be exploited remotely.

AFFECTED PRODUCTS

The following GE Digital Energy products are affected:

•     Hydran M2, containing the 17046 Ethernet option, released prior to October 2014.

IMPACT

Successful exploitation of this vulnerability could result in the manipulation or spoofing of TCP connections, which could result in a denial-of-service condition for the Hydran M2 device or transmission of inaccurate data regarding developing fault conditions in transformers.

Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.

BACKGROUND

GE Digital Energy is a US-based company that maintains offices in several countries around the world.

The affected product, Hydran M2, is an online transformer monitoring device that provides alerts to personnel of developing fault conditions by analyzing the composite value of various gases and oil moisture levels. According to GE Digital Energy, the Hydran M2 is primarily deployed across the Energy sector. GE Digital Energy estimates that these products are used globally.

VULNERABILITY CHARACTERIZATION

VULNERABILITY OVERVIEW

PREDICTABLE VALUE RANGE FROM PREVIOUS VALUESa

The GE Hydran M2 generates predictable TCP initial sequence numbers that may allow an attacker to predict the correct TCP initial sequence numbers and send counterfeit packets, which if configured correctly, could appear to originate from the Hydran M2.

CVE-2014-5409b has been assigned to this vulnerability. A CVSS v2 base score of 6.4 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:P/I:N/A:P).c

VULNERABILITY DETAILS

EXPLOITABILITY

This vulnerability could be exploited remotely.

EXISTENCE OF EXPLOIT

No known public exploits specifically target this vulnerability.

DIFFICULTY

An attacker with low skill would be able to exploit this vulnerability.

MITIGATION

GE Digital Energy has released a new version of the Ethernet option, which resolves the identified vulnerability in newly released Hydran M2 devices. The update changes the sequence algorithm, which makes it improbable that a TCP sequence attack could succeed. The version of Ethernet card that implements this improvement is 94450214LFMT100SEM-L.R3-CL.

There is no method to update Hydran M2 devices released prior to October 2014. GE Digital Energy recommends that utilities using older versions of the Hydran M2 device implement network security defensive measures, to include the following:

•     Place the Hydran M2 inside the control system network security perimeter with access controls and monitoring.

•     Minimize network exposure to all other control system devices. Control system devices should not directly face the Internet or business networks.

•     Locate control system networks and devices behind properly configured firewalls, and isolate them from the business network.

•     When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

GE Digital Energy’s Product Bulletin is available in at the following location, with a user account:

http://libraries.ge.com/download?fileid=642886573101&entity_id=31955841101&sid=101

ICS-CERT provides a section for control systems security recommended practices on the ICS‑CERT web page at: http://ics-cert.us-cert.gov/content/recommended-practices. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site (http://ics-cert.us-cert.gov/).

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.


Contact Information

For any questions related to this report, please contact ICS-CERT at:

Email: ics-cert@hq.dhs.gov
Toll Free: 1-877-776-7585
International Callers: (208) 526-0900

For industrial control systems security information and incident reporting: http://ics-cert.us-cert.gov

ICS-CERT continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top