BSI-2022-0005

Vulnerability from csaf_certbund - Published: 2022-11-02 21:00 - Updated: 2022-11-02 21:00
Summary
Multiple Vulnerabilities in GE MS 3000

Notes

Legal disclaimer
As a content provider, BSI is responsible under general law for its own content distributed for use. However, it remains your responsibility to carefully check usage and/or implementation of information provided with the content.
Summary
E.ON Pentesting Team has found several vulnerabilities in the firmware of GE Grid Solution's MS 3000. These include an unprotected and open debug service, web service access without authentication or encryption and directory traversal.
Product description
The MS 3000 is an online condition monitoring and expert system for transformers. It includes a web-based interface as well as a wide range of communication protocols (including IEC 61850).
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Daniel Szameitat"
        ],
        "organization": "E.ON Pentesting",
        "summary": "finding and reporting the vulnerabilities"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "As a content provider, BSI is responsible under general law for its own content distributed for use. However, it remains your responsibility to carefully check usage and/or implementation of information provided with the content.",
        "title": "Legal disclaimer"
      },
      {
        "category": "summary",
        "text": "E.ON Pentesting Team has found several vulnerabilities in the firmware of GE Grid Solution\u0027s MS 3000. These include an unprotected and open debug service, web service access without authentication or encryption and directory traversal.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "The MS 3000 is an online condition monitoring and expert system for transformers. It includes a web-based interface as well as a wide range of communication protocols (including IEC 61850).",
        "title": "Product description"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "BSI-2022-0005 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/bsi-2022-0005.json"
      },
      {
        "category": "external",
        "summary": "GE Grid Solutions advisory - GES-2021-011",
        "url": "https://www.gegridsolutions.com/app/viewfiles.aspx?prod=ms3000\u0026type=21"
      },
      {
        "category": "external",
        "summary": "GE Grid Solutions - Product page",
        "url": "https://www.gegridsolutions.com/md/catalog/ms3000.htm"
      }
    ],
    "title": "Multiple Vulnerabilities in GE MS 3000",
    "tracking": {
      "aliases": [
        "GES-2021-011"
      ],
      "current_release_date": "2022-11-02T21:00:00.000Z",
      "generator": {
        "date": "2022-11-02T20:56:53.444Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.0.0"
        }
      },
      "id": "BSI-2022-0005",
      "initial_release_date": "2022-11-02T21:00:00.000Z",
      "revision_history": [
        {
          "date": "2022-11-02T21:00:00.000Z",
          "number": "1",
          "summary": "Initial version."
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "MS 3000",
            "product": {
              "name": "GE Grid Solutions MS 3000",
              "product_id": "CSAFPID-0001"
            }
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c3.7.6.25p0_3.2.2.17p0_4.7p0",
                "product": {
                  "name": "GE Grid Solutions MS 3000 firmware \u003c3.7.6.25p0_3.2.2.17p0_4.7p0",
                  "product_id": "CSAFPID-0002"
                }
              },
              {
                "category": "product_version",
                "name": "3.7.6.25p0_3.2.2.17p0_4.7p0",
                "product": {
                  "name": "GE Grid Solutions MS 3000 firmware 3.7.6.25p0_3.2.2.17p0_4.7p0",
                  "product_id": "CSAFPID-0003"
                }
              }
            ],
            "category": "product_name",
            "name": "MS 3000 firmware"
          }
        ],
        "category": "vendor",
        "name": "GE Grid Solutions"
      }
    ],
    "relationships": [
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "GE Grid Solutions MS 3000 firmware \u003c3.7.6.25p0_3.2.2.17p0_4.7p0 installed on GE Grid Solutions MS 3000",
          "product_id": "CSAFPID-0004"
        },
        "product_reference": "CSAFPID-0002",
        "relates_to_product_reference": "CSAFPID-0001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "GE Grid Solutions MS 3000 firmware 3.7.6.25p0_3.2.2.17p0_4.7p0 installed on GE Grid Solutions MS 3000",
          "product_id": "CSAFPID-0005"
        },
        "product_reference": "CSAFPID-0003",
        "relates_to_product_reference": "CSAFPID-0001"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-43975",
      "cwe": {
        "id": "CWE-23",
        "name": "Relative Path Traversal"
      },
      "notes": [
        {
          "category": "summary",
          "text": "A vulnerability in the web server allows arbitrary files and configurations to be read via directory traversal over TCP port 8888.",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-0005"
        ],
        "known_affected": [
          "CSAFPID-0004"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Update to the latest firmware version, at least 3.7.6.25p0_3.2.2.17p0_4.7p0.",
          "product_ids": [
            "CSAFPID-0004"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0004"
          ]
        }
      ],
      "title": "Directory Traversal Vulnerability in the Web Server"
    },
    {
      "cve": "CVE-2022-43976",
      "cwe": {
        "id": "CWE-288",
        "name": "Authentication Bypass Using an Alternate Path or Channel"
      },
      "notes": [
        {
          "category": "summary",
          "text": "Direct access to the API is possible on TCP port 8888 via programs located in the cgi-bin folder without any authentication.",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-0005"
        ],
        "known_affected": [
          "CSAFPID-0004"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Update to the latest firmware version, at least 3.7.6.25p0_3.2.2.17p0_4.7p0.",
          "product_ids": [
            "CSAFPID-0004"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0004"
          ]
        }
      ],
      "title": "Web Service Access Without Authentication and Encryption"
    },
    {
      "cve": "CVE-2022-43977",
      "cwe": {
        "id": "CWE-1244",
        "name": "Internal Asset Exposed to Unsafe Debug Access Level or State"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The debug port accessible via TCP (a qconn service) lacks access control.",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-0005"
        ],
        "known_affected": [
          "CSAFPID-0004"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Update to the latest firmware version, at least 3.7.6.25p0_3.2.2.17p0_4.7p0.",
          "product_ids": [
            "CSAFPID-0004"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0004"
          ]
        }
      ],
      "title": "Unprotected and Open qconn Service"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.