The flaws affect SEL Compass, a tool designed for managing SEL products, and AcSELerator Architect 126.96.36.199 and prior versions, an app that streamlines the configuration and documentation of IEC 61850 control and SCADA communications. The security holes were discovered by Gjoko Krstic, a researcher from industrial cybersecurity firm Applied Risk.
SEL patched the vulnerabilities with the release of SEL Compass v188.8.131.52 and SEL AcSELerator v184.108.40.206.
One of them, a high severity XML External Entity (XXE) vulnerability, can lead to information disclosure and in some cases to arbitrary code execution or a denial-of-service (DoS) condition. The flaw, tracked as CVE-2018-10600 and scored 8.2 according to CVSS v3, can be exploited by getting the targeted user to open a specially crafted template or project file. “The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.selaprj). This attack can also be used to execute arbitrary code (in certain circumstances, depending on the platform) or cause a denial of service (DoS) condition (billion laughs) via a specially crafted XML file including multiple external entity references,” Applied Risk reported in the AcSELerator Architect advisory.
The second flaw affecting AcSELerator Architect, identified as CVE-2018-10608 and rated 6.5 according to CVSS v3, is a medium severity DoS issue that can be triggered using a malicious FTP server. “The vulnerability can be triggered when an attacker provides the victim with a rogue malicious FTP server and listens for connections from the AcSELerator Architect FTP client feature. Once the victim gets connected to the evil FTP via the TCP protocol, a 100% CPU exhaustion occurs rendering the software to hang (not responding), denying legitimate workflow to the victim until the application is forcibly restarted,” Applied Risk explained.
The SEL Compass application is affected by a high severity (scored 8.2 according to CVSS v3) insecure file permissions issue that can be exploited for privilege escalation. This bug is tracked as CVE-2018-10604. “The vulnerability exists due to the improper permissions on the SEL Compass directory, with the ’F’ flag (Full) for ’Everyone’ group. This gives an authenticated attacker the ability to modify or overwrite any file in the Compass directory with malicious code (trojan or a rootkit). This could result in escalation of privileges or malicious effects on the system the next time that a privileged user runs Compass,” Applied Risk said in the SEL Compass advisory.
SEL patched the vulnerabilities with the release of SEL Compass v220.127.116.11 and SEL AcSELerator v18.104.22.168. According to Applied Risk it took the vendor more than three months to release the updates. SEL recently teamed up with industrial cybersecurity firm Dragos to “arm the electric power community with the tools to better detect and respond to threats within their industrial control system (ICS) networks.” [securityweek.com, ics-cert.us-cert.gov]