CVE-2017-7905

Severity Score

9.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A Weak Cryptography for Passwords issue was discovered in General Electric (GE) Multilin SR 750 Feeder Protection Relay, firmware versions prior to Version 7.47; SR 760 Feeder Protection Relay, firmware versions prior to Version 7.47; SR 469 Motor Protection Relay, firmware versions prior to Version 5.23; SR 489 Generator Protection Relay, firmware versions prior to Version 4.06; SR 745 Transformer Protection Relay, firmware versions prior to Version 5.23; SR 369 Motor Protection Relay, all firmware versions; Multilin Universal Relay, firmware Version 6.0 and prior versions; and Multilin URplus (D90, C90, B95), all versions. Ciphertext versions of user passwords were created with a non-random initialization vector leaving them susceptible to dictionary attacks. Ciphertext of user passwords can be obtained from the front LCD panel of affected products and through issued Modbus commands.

Se ha descubierto un problema de criptografía débil para contraseñas en General Electric (GE) Multilin SR 750 Feeder Protection Relay con versiones de firmware anteriores a la versión 7.47.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-04-18 CVE Reserved
2017-06-30 CVE Published
2024-08-05 CVE Updated
2024-12-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-261: Weak Encoding for Password
CWE-326: Inadequate Encryption Strength
CWE-330: Use of Insufficiently Random Values
CWE-522: Insufficiently Protected Credentials

CAPEC

References (2)

URL	Tag	Source
http://www.securityfocus.com/bid/98063	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://ics-cert.us-cert.gov/advisories/ICSA-17-117-01A	2019-10-09

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Ge Search vendor "Ge"	Multilin Sr 750 Feeder Protection Relay Firmware Search vendor "Ge" for product "Multilin Sr 750 Feeder Protection Relay Firmware"	<= 5.02 Search vendor "Ge" for product "Multilin Sr 750 Feeder Protection Relay Firmware" and version " <= 5.02"	-	Affected	in	Ge Search vendor "Ge"	Multilin Sr 750 Feeder Protection Relay Search vendor "Ge" for product "Multilin Sr 750 Feeder Protection Relay"	-	-	Safe
Ge Search vendor "Ge"	Multilin Sr 760 Feeder Protection Relay Firmware Search vendor "Ge" for product "Multilin Sr 760 Feeder Protection Relay Firmware"	<= 5.02 Search vendor "Ge" for product "Multilin Sr 760 Feeder Protection Relay Firmware" and version " <= 5.02"	-	Affected	in	Ge Search vendor "Ge"	Multilin Sr 760 Feeder Protection Relay Search vendor "Ge" for product "Multilin Sr 760 Feeder Protection Relay"	-	-	Safe
Ge Search vendor "Ge"	Multilin Sr 469 Motor Protection Relay Firmware Search vendor "Ge" for product "Multilin Sr 469 Motor Protection Relay Firmware"	<= 2.90 Search vendor "Ge" for product "Multilin Sr 469 Motor Protection Relay Firmware" and version " <= 2.90"	-	Affected	in	Ge Search vendor "Ge"	Multilin Sr 469 Motor Protection Relay Search vendor "Ge" for product "Multilin Sr 469 Motor Protection Relay"	-	-	Safe
Ge Search vendor "Ge"	Multilin Sr 489 Generator Protection Relay Firmware Search vendor "Ge" for product "Multilin Sr 489 Generator Protection Relay Firmware"	<= 1.53 Search vendor "Ge" for product "Multilin Sr 489 Generator Protection Relay Firmware" and version " <= 1.53"	-	Affected	in	Ge Search vendor "Ge"	Multilin Sr 489 Generator Protection Relay Search vendor "Ge" for product "Multilin Sr 489 Generator Protection Relay"	-	-	Safe
Ge Search vendor "Ge"	Multilin Sr 745 Transformer Protection Relay Firmware Search vendor "Ge" for product "Multilin Sr 745 Transformer Protection Relay Firmware"	<= 2.85 Search vendor "Ge" for product "Multilin Sr 745 Transformer Protection Relay Firmware" and version " <= 2.85"	-	Affected	in	Ge Search vendor "Ge"	Multilin Sr 745 Transformer Protection Relay Search vendor "Ge" for product "Multilin Sr 745 Transformer Protection Relay"	-	-	Safe
Ge Search vendor "Ge"	Multilin Sr 369 Motor Protection Relay Firmware Search vendor "Ge" for product "Multilin Sr 369 Motor Protection Relay Firmware"	-	-	Affected	in	Ge Search vendor "Ge"	Multilin Sr 369 Motor Protection Relay Search vendor "Ge" for product "Multilin Sr 369 Motor Protection Relay"	-	-	Safe
Ge Search vendor "Ge"	Multilin Universal Relay Firmware Search vendor "Ge" for product "Multilin Universal Relay Firmware"	<= 6.0 Search vendor "Ge" for product "Multilin Universal Relay Firmware" and version " <= 6.0"	-	Affected	in	Ge Search vendor "Ge"	Multilin Universal Relay Search vendor "Ge" for product "Multilin Universal Relay"	-	-	Safe
Ge Search vendor "Ge"	Multilin Urplus D90 Firmware Search vendor "Ge" for product "Multilin Urplus D90 Firmware"	-	-	Affected	in	Ge Search vendor "Ge"	Multilin Urplus D90 Search vendor "Ge" for product "Multilin Urplus D90"	-	-	Safe
Ge Search vendor "Ge"	Multilin Urplus C90 Firmware Search vendor "Ge" for product "Multilin Urplus C90 Firmware"	-	-	Affected	in	Ge Search vendor "Ge"	Multilin Urplus C90 Search vendor "Ge" for product "Multilin Urplus C90"	-	-	Safe
Ge Search vendor "Ge"	Multilin Urplus B95 Firmware Search vendor "Ge" for product "Multilin Urplus B95 Firmware"	-	-	Affected	in	Ge Search vendor "Ge"	Multilin Urplus B95 Search vendor "Ge" for product "Multilin Urplus B95"	-	-	Safe