Date |
Type |
Platform |
Author |
EDB-ID |
CVE-ID |
OSVDB-ID |
Download |
App |
SIS Signature |
2018-02-15 | Other | GE | Kirill Nesterov of Kaspersky Labs discovered these vulnerabilities, and GE and Kasperksy Labs reported and coordinated the vulne | N/A | CVE-2018-5475 CVE-2018-5473 | N/A |  | N/A | N/A |
Source
#
# GE D60 Line Distance Relay
#
### VULNERABLE VENDOR
GE
### VULNERABLE PRODUCT
D60 Line Distance Relay
### RESEARCHER
Kirill Nesterov of Kaspersky Labs discovered these vulnerabilities, and GE and Kasperksy Labs reported and coordinated the vulnerabilities with NCCIC.
### AFFECTED PRODUCTS
The following versions of the D60 Line Distance Relay are affected:
D60 devices running firmware Version 7.11 and prior
### IMPACT
Successful exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code on the device.
### VULNERABILITY OVERVIEW
STACK-BASED BUFFER OVERFLOW CWE-121
Multiple stack-based buffer overflow vulnerabilities have been identified, which may allow remote code execution.
CVE-2018-5475 has been assigned to this vulnerability.
A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119
The SSH functions of the device are vulnerable to buffer overflow conditions that may allow a remote attacker to execute arbitrary code on the device.
CVE-2018-5473 has been assigned to this vulnerability.
A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
### BACKGROUND
Critical Infrastructure Sectors: Energy
Countries/Areas Deployed: Worldwide
Company Headquarters Location: USA
### MITIGATION
GE has released firmware that addresses the vulnerabilities. The latest firmware can be obtained from:
https://www.gegridsolutions.com/app/ViewFiles.aspx?prod=d60&type=7
Authentication will be required to download the firmware.