bsi-2022-0005
Vulnerability from csaf_certbund
Published
2022-11-02 21:00
Modified
2022-11-02 21:00
Summary
Multiple Vulnerabilities in GE MS 3000

Notes

Legal disclaimer
As a content provider, BSI is responsible under general law for its own content distributed for use. However, it remains your responsibility to carefully check usage and/or implementation of information provided with the content.
Summary
E.ON Pentesting Team has found several vulnerabilities in the firmware of GE Grid Solution's MS 3000. These include an unprotected and open debug service, web service access without authentication or encryption and directory traversal.
Product description
The MS 3000 is an online condition monitoring and expert system for transformers. It includes a web-based interface as well as a wide range of communication protocols (including IEC 61850).


To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Daniel Szameitat"
        ],
        "organization": "E.ON Pentesting",
        "summary": "finding and reporting the vulnerabilities"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "As a content provider, BSI is responsible under general law for its own content distributed for use. However, it remains your responsibility to carefully check usage and/or implementation of information provided with the content.",
        "title": "Legal disclaimer"
      },
      {
        "category": "summary",
        "text": "E.ON Pentesting Team has found several vulnerabilities in the firmware of GE Grid Solution\u0027s MS 3000. These include an unprotected and open debug service, web service access without authentication or encryption and directory traversal.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "The MS 3000 is an online condition monitoring and expert system for transformers. It includes a web-based interface as well as a wide range of communication protocols (including IEC 61850).",
        "title": "Product description"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "BSI-2022-0005 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/bsi-2022-0005.json"
      },
      {
        "category": "external",
        "summary": "GE Grid Solutions advisory - GES-2021-011",
        "url": "https://www.gegridsolutions.com/app/viewfiles.aspx?prod=ms3000\u0026type=21"
      },
      {
        "category": "external",
        "summary": "GE Grid Solutions - Product page",
        "url": "https://www.gegridsolutions.com/md/catalog/ms3000.htm"
      }
    ],
    "title": "Multiple Vulnerabilities in GE MS 3000",
    "tracking": {
      "aliases": [
        "GES-2021-011"
      ],
      "current_release_date": "2022-11-02T21:00:00.000Z",
      "generator": {
        "date": "2022-11-02T20:56:53.444Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.0.0"
        }
      },
      "id": "BSI-2022-0005",
      "initial_release_date": "2022-11-02T21:00:00.000Z",
      "revision_history": [
        {
          "date": "2022-11-02T21:00:00.000Z",
          "number": "1",
          "summary": "Initial version."
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "MS 3000",
            "product": {
              "name": "GE Grid Solutions MS 3000",
              "product_id": "CSAFPID-0001"
            }
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c3.7.6.25p0_3.2.2.17p0_4.7p0",
                "product": {
                  "name": "GE Grid Solutions MS 3000 firmware \u003c3.7.6.25p0_3.2.2.17p0_4.7p0",
                  "product_id": "CSAFPID-0002"
                }
              },
              {
                "category": "product_version",
                "name": "3.7.6.25p0_3.2.2.17p0_4.7p0",
                "product": {
                  "name": "GE Grid Solutions MS 3000 firmware 3.7.6.25p0_3.2.2.17p0_4.7p0",
                  "product_id": "CSAFPID-0003"
                }
              }
            ],
            "category": "product_name",
            "name": "MS 3000 firmware"
          }
        ],
        "category": "vendor",
        "name": "GE Grid Solutions"
      }
    ],
    "relationships": [
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "GE Grid Solutions MS 3000 firmware \u003c3.7.6.25p0_3.2.2.17p0_4.7p0 installed on GE Grid Solutions MS 3000",
          "product_id": "CSAFPID-0004"
        },
        "product_reference": "CSAFPID-0002",
        "relates_to_product_reference": "CSAFPID-0001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "GE Grid Solutions MS 3000 firmware 3.7.6.25p0_3.2.2.17p0_4.7p0 installed on GE Grid Solutions MS 3000",
          "product_id": "CSAFPID-0005"
        },
        "product_reference": "CSAFPID-0003",
        "relates_to_product_reference": "CSAFPID-0001"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-43975",
      "cwe": {
        "id": "CWE-23",
        "name": "Relative Path Traversal"
      },
      "notes": [
        {
          "category": "summary",
          "text": "A vulnerability in the web server allows arbitrary files and configurations to be read via directory traversal over TCP port 8888.",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-0005"
        ],
        "known_affected": [
          "CSAFPID-0004"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Update to the latest firmware version, at least 3.7.6.25p0_3.2.2.17p0_4.7p0.",
          "product_ids": [
            "CSAFPID-0004"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0004"
          ]
        }
      ],
      "title": "Directory Traversal Vulnerability in the Web Server"
    },
    {
      "cve": "CVE-2022-43976",
      "cwe": {
        "id": "CWE-288",
        "name": "Authentication Bypass Using an Alternate Path or Channel"
      },
      "notes": [
        {
          "category": "summary",
          "text": "Direct access to the API is possible on TCP port 8888 via programs located in the cgi-bin folder without any authentication.",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-0005"
        ],
        "known_affected": [
          "CSAFPID-0004"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Update to the latest firmware version, at least 3.7.6.25p0_3.2.2.17p0_4.7p0.",
          "product_ids": [
            "CSAFPID-0004"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0004"
          ]
        }
      ],
      "title": "Web Service Access Without Authentication and Encryption"
    },
    {
      "cve": "CVE-2022-43977",
      "cwe": {
        "id": "CWE-1244",
        "name": "Internal Asset Exposed to Unsafe Debug Access Level or State"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The debug port accessible via TCP (a qconn service) lacks access control.",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-0005"
        ],
        "known_affected": [
          "CSAFPID-0004"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Update to the latest firmware version, at least 3.7.6.25p0_3.2.2.17p0_4.7p0.",
          "product_ids": [
            "CSAFPID-0004"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0004"
          ]
        }
      ],
      "title": "Unprotected and Open qconn Service"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.