CVE-2021-27428

GE UR family Unrestricted Upload of File with Dangerous Type

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

GE UR IED firmware versions prior to version 8.1x supports upgrading firmware using UR Setup configuration tool – Enervista UR Setup. This UR Setup tool validates the authenticity and integrity of firmware file before uploading the UR IED. An illegitimate user could upgrade firmware without appropriate privileges. The weakness is assessed, and mitigation is implemented in firmware Version 8.10.

IED GE UR versiones de firmware anteriores a versión 8.1x, admiten la actualización del firmware mediante la herramienta de configuración UR Setup - Enervista UR Setup. Esta herramienta UR Setup comprueba la autenticidad e integridad del archivo de firmware antes de cargar el IED UR. Un usuario no legítimo podría actualizar el firmware sin privilegios apropiados. Ha sido evaluada la debilidad y ha sido implementada una mitigación en versión 8.10 del firmware

*Credits: SCADA-X, DOE’s Cyber Testing for Resilient Industrial Control Systems (CyTRICS) program, Verve Industrial, and VuMetric reported these vulnerabilities to GE.

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-02-19 CVE Reserved
2022-03-23 CVE Published
2024-08-03 CVE Updated
2024-12-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-434: Unrestricted Upload of File with Dangerous Type

CAPEC

References (1)

URL	Tag	Source
https://www.cisa.gov/uscert/ics/advisories/icsa-21-075-02	Mitigation

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Ge Search vendor "Ge"	Multilin B30 Firmware Search vendor "Ge" for product "Multilin B30 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin B30 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin B30 Search vendor "Ge" for product "Multilin B30"	-	-	Safe
Ge Search vendor "Ge"	Multilin B90 Firmware Search vendor "Ge" for product "Multilin B90 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin B90 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin B90 Search vendor "Ge" for product "Multilin B90"	-	-	Safe
Ge Search vendor "Ge"	Multilin C60 Firmware Search vendor "Ge" for product "Multilin C60 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin C60 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin C60 Search vendor "Ge" for product "Multilin C60"	-	-	Safe
Ge Search vendor "Ge"	Multilin C70 Firmware Search vendor "Ge" for product "Multilin C70 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin C70 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin C70 Search vendor "Ge" for product "Multilin C70"	-	-	Safe
Ge Search vendor "Ge"	Multilin C95 Firmware Search vendor "Ge" for product "Multilin C95 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin C95 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin C95 Search vendor "Ge" for product "Multilin C95"	-	-	Safe
Ge Search vendor "Ge"	Multilin D30 Firmware Search vendor "Ge" for product "Multilin D30 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin D30 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin D30 Search vendor "Ge" for product "Multilin D30"	-	-	Safe
Ge Search vendor "Ge"	Multilin D60 Firmware Search vendor "Ge" for product "Multilin D60 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin D60 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin D60 Search vendor "Ge" for product "Multilin D60"	-	-	Safe
Ge Search vendor "Ge"	Multilin F35 Firmware Search vendor "Ge" for product "Multilin F35 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin F35 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin F35 Search vendor "Ge" for product "Multilin F35"	-	-	Safe
Ge Search vendor "Ge"	Multilin F60 Firmware Search vendor "Ge" for product "Multilin F60 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin F60 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin F60 Search vendor "Ge" for product "Multilin F60"	-	-	Safe
Ge Search vendor "Ge"	Multilin G30 Firmware Search vendor "Ge" for product "Multilin G30 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin G30 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin G30 Search vendor "Ge" for product "Multilin G30"	-	-	Safe
Ge Search vendor "Ge"	Multilin G60 Firmware Search vendor "Ge" for product "Multilin G60 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin G60 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin G60 Search vendor "Ge" for product "Multilin G60"	-	-	Safe
Ge Search vendor "Ge"	Multilin L30 Firmware Search vendor "Ge" for product "Multilin L30 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin L30 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin L30 Search vendor "Ge" for product "Multilin L30"	-	-	Safe
Ge Search vendor "Ge"	Multilin L60 Firmware Search vendor "Ge" for product "Multilin L60 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin L60 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin L60 Search vendor "Ge" for product "Multilin L60"	-	-	Safe
Ge Search vendor "Ge"	Multilin L90 Firmware Search vendor "Ge" for product "Multilin L90 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin L90 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin L90 Search vendor "Ge" for product "Multilin L90"	-	-	Safe
Ge Search vendor "Ge"	Multilin M60 Firmware Search vendor "Ge" for product "Multilin M60 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin M60 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin M60 Search vendor "Ge" for product "Multilin M60"	-	-	Safe
Ge Search vendor "Ge"	Multilin N60 Firmware Search vendor "Ge" for product "Multilin N60 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin N60 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin N60 Search vendor "Ge" for product "Multilin N60"	-	-	Safe
Ge Search vendor "Ge"	Multilin T35 Firmware Search vendor "Ge" for product "Multilin T35 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin T35 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin T35 Search vendor "Ge" for product "Multilin T35"	-	-	Safe
Ge Search vendor "Ge"	Multilin T60 Firmware Search vendor "Ge" for product "Multilin T60 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin T60 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin T60 Search vendor "Ge" for product "Multilin T60"	-	-	Safe
Ge Search vendor "Ge"	Multilin C30 Firmware Search vendor "Ge" for product "Multilin C30 Firmware"	< 8.10 Search vendor "Ge" for product "Multilin C30 Firmware" and version " < 8.10"	-	Affected	in	Ge Search vendor "Ge"	Multilin C30 Search vendor "Ge" for product "Multilin C30"	-	-	Safe