1. Introduction
The GE Multilin UR, URPlus, and B95Plus Relay Web Interface Detection vulnerability affects remote devices used for managing SCADA systems. These relays control, protect, and monitor critical infrastructure. Successful exploitation could allow an attacker to gain unauthorized access to the web interface of these devices. This may impact confidentiality, integrity, and availability of connected systems.
2. Technical Explanation
The vulnerability lies in the default configuration of the GE Multilin UR family relays’ web interface. The interface is accessible remotely without strong authentication by default. An attacker can potentially access sensitive information or modify device settings. There is no known CVE associated with this specific detection, but it represents a high-risk configuration issue. For example, an attacker could gain control over protective relay functions. Affected versions include all UR, URPlus and B95Plus relays without appropriate security hardening.
- Root cause: Weak or missing authentication on the web interface by default.
- Exploit mechanism: An attacker connects to the device’s network port 80 (HTTP) or 443 (HTTPS) and attempts to access the web interface without credentials. If successful, they can view configuration details and potentially make changes.
- Scope: GE Multilin UR, URPlus, and B95Plus relays.
3. Detection and Assessment
Confirming vulnerability involves checking if the web interface is accessible with default credentials or without any authentication. A thorough method includes network scanning for open ports and attempting to access the web interface.
- Quick checks: Attempt to browse to the device’s IP address in a web browser (e.g., http://
) and observe if a login prompt appears or if the interface is directly accessible. - Scanning: Nessus plugin 167328 can identify GE Multilin UR devices. This is an example only, as scanner coverage varies.
- Logs and evidence: Review web server logs on the device (if available) for access attempts to the web interface from unknown sources.
ping 4. Solution / Remediation Steps
The primary solution is to change default credentials and enable strong authentication on the web interface. These steps should be performed carefully to avoid disrupting critical operations.
4.1 Preparation
- Services: No services need to be stopped for this remediation, but access should be controlled during the change window.
4.2 Implementation
- Step 1: Access the relay’s web interface using existing credentials (if known).
- Step 2: Navigate to the security settings section of the web interface.
- Step 3: Change the default username and password to strong, unique values.
- Step 4: Enable authentication for all access to the web interface.
- Step 5: Save the changes and restart the relay if prompted.
4.3 Config or Code Example
Before
Default username: admin, Default password: adminAfter
Username: , Password: 4.4 Security Practices Relevant to This Vulnerability
Several security practices can help prevent this issue. Least privilege limits the impact of a compromised account, while strong authentication makes it harder for attackers to gain access.
- Practice 1: Implement least privilege by granting only necessary permissions to users accessing the relay.
- Practice 2: Enforce strong password policies and multi-factor authentication where possible.
4.5 Automation (Optional)
Automation is not generally suitable for this vulnerability due to the device specific configuration requirements.
5. Verification / Validation
- Post-fix check: Attempt to log in using the old (default) username and password; it should fail.
- Monitoring: Monitor logs for failed login attempts to identify potential brute-force attacks.
Attempt to access http:// with default credentials - should be blocked. 6. Preventive Measures and Monitoring
Regular security audits, baseline configurations, and patch management can help prevent this issue. For example, a CIS control related to secure configuration or a regular vulnerability scan can identify exposed interfaces.
- Baselines: Implement a security baseline that requires strong authentication on all network devices.
- Asset and patch process: Review relay configurations regularly for compliance with security standards.
7. Risks, Side Effects, and Roll Back
Changing credentials incorrectly could lock you out of the device. Always test changes in a non-production environment first. If issues arise, restore from the backup created in step 4.1.
- Risk or side effect 1: Incorrectly configured authentication may prevent legitimate users from accessing the interface.
- Risk or side effect 2: Restarting the relay may temporarily disrupt operations.
8. References and Resources
- Vendor advisory or bulletin: https://www.gegridsolutions.com/multilin/catalog/urfamily.htm