Several vulnerabilities, including ones rated high severity, have been discovered in management and configuration tools from power grid protection company Schweitzer Engineering Laboratories (SEL). The vendor has released software updates to address the flaws.
The security holes were discovered by Gjoko Krstic, a researcher with industrial cybersecurity firm Applied Risk. The flaws affect SEL Compass, a tool designed for managing SEL products, and AcSELerator Architect, an app that streamlines the configuration and documentation of IEC 61850 control and SCADA communications.
According to advisories published by Applied Risk and ICS-CERT, AcSELerator Architect 220.127.116.11 and prior versions are affected by two vulnerabilities. One of them, a high severity XML External Entity (XXE) vulnerability, can lead to information disclosure and in some cases to arbitrary code execution or a denial-of-service (DoS) condition. The flaw, tracked as CVE-2018-10600, can be exploited by getting the targeted user to open a specially crafted template or project file.
“The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.selaprj). This attack can also be used to execute arbitrary code (in certain circumstances, depending on the platform) or cause a denial of service (DoS) condition (billion laughs) via a specially crafted XML file including multiple external entity references,” Applied Risk wrote in its advisory.
The second flaw affecting AcSELerator Architect, identified as CVE-2018-10608, is a medium severity DoS issue that can be triggered using a malicious FTP server.
“The vulnerability can be triggered when an attacker provides the victim with a rogue malicious FTP server and listens for connections from the AcSELerator Architect FTP client feature. Once the victim gets connected to the evil FTP via the TCP protocol, a 100% CPU exhaustion occurs rendering the software to hang (not responding), denying legitimate workflow to the victim until the application is forcibly restarted,” Applied Risk explained.
As for SEL Compass, the application is affected by a high severity insecure file permissions issue that can be exploited for privilege escalation. This bug is tracked as CVE-2018-10604.
“The vulnerability exists due to the improper permissions on the SEL Compass directory, with the ‘F’ flag (Full) for ‘Everyone’ group. This gives an authenticated attacker the ability to modify or overwrite any file in the Compass directory with malicious code (trojan or a rootkit). This could result in escalation of privileges or malicious effects on the system the next time that a privileged user runs Compass,” Applied Risk said in a different advisory.
SEL patched the vulnerabilities with the release of SEL Compass v18.104.22.168 and SEL AcSELerator v22.214.171.124. Applied Risk told SecurityWeek that it took the vendor more than three months to release the updates.
SEL recently teamed up with industrial cybersecurity firm Dragos to “arm the electric power community with the tools to better detect and respond to threats within their industrial control system (ICS) networks.”