CVE-2017-7905
30.06.2017, 03:29
A Weak Cryptography for Passwords issue was discovered in General Electric (GE) Multilin SR 750 Feeder Protection Relay, firmware versions prior to Version 7.47; SR 760 Feeder Protection Relay, firmware versions prior to Version 7.47; SR 469 Motor Protection Relay, firmware versions prior to Version 5.23; SR 489 Generator Protection Relay, firmware versions prior to Version 4.06; SR 745 Transformer Protection Relay, firmware versions prior to Version 5.23; SR 369 Motor Protection Relay, all firmware versions; Multilin Universal Relay, firmware Version 6.0 and prior versions; and Multilin URplus (D90, C90, B95), all versions. Ciphertext versions of user passwords were created with a non-random initialization vector leaving them susceptible to dictionary attacks. Ciphertext of user passwords can be obtained from the front LCD panel of affected products and through issued Modbus commands.Enginsight
| Vendor | Product | Version |
|---|---|---|
| ge | multilin_sr_750_feeder_protection_relay_firmware | 𝑥 ≤ 5.02 |
| ge | multilin_sr_760_feeder_protection_relay_firmware | 𝑥 ≤ 5.02 |
| ge | multilin_sr_469_motor_protection_relay_firmware | 𝑥 ≤ 2.90 |
| ge | multilin_sr_489_generator_protection_relay_firmware | 𝑥 ≤ 1.53 |
| ge | multilin_sr_745_transformer_protection_relay_firmware | 𝑥 ≤ 2.85 |
| ge | multilin_sr_369_motor_protection_relay_firmware | - |
| ge | multilin_universal_relay_firmware | 𝑥 ≤ 6.0 |
| ge | multilin_urplus_d90_firmware | - |
| ge | multilin_urplus_c90_firmware | - |
| ge | multilin_urplus_b95_firmware | - |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-261 - Weak Encoding for PasswordObscuring a password with a trivial encoding does not protect the password.
- CWE-326 - Inadequate Encryption StrengthThe software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.