GE Time Sync Clock Exploit

Ockom
OCKOM

--

Back in May, Sr. Researcher Ehab Hussein if IOActive, found an exploit on the GE Reason RT clocks which allows for sensitive data exposure and arbitrary code execution. Yesterday, CERT released the advisory on it, and it maintained a CVSS of 9.6. GE Grid Solutions Reason RT Clocks | CISA1. EXECUTIVE SUMMARY CVSS v3 9.6 ATTENTION: Low skill level to exploit/exploitable remotely Vendor: GE Equipment: Grid Solutions Reason RT Clocks Vulnerability: Missing Authentication for Critical Function 2. RISK EVALUATION Successful exploitation of this vulnerability could allow access to s…Cybersecurity and Infrastructure Security Agency CISA [https://www.us-cert.gov/ics/advisories/icsa-20-154-05]The clocks provide precision time via GPS and GLONASS. Read about the GE clocks details here: Reason RT430/RT434 — GE Grid SolutionsReason RT430/RT434 GNSS Precision-Time Clocks are universal precision time synchronization units with reference to GPS and GLONASS satellites. These clocks include a number of outputs to support many timing protocols, including the DST rules frequently used on power systems applications. In accordan… [https://www.gegridsolutions.com/measurement_recording_timesync/catalog/rt430.htm] NTP attacks and the likes are not new. In fact, one of the first exploits against the NTP daemon [https://www.exploit-db.com/exploits/20727] in Unix is still on exploit-db. And in 2012, some folks from Carnegie Mellon wrote a decent paper on GPS attacks [https://users.ece.cmu.edu/~dbrumley/pdf/Nighswander%20et%20al._2012_GPS%20software%20attacks.pdf] , which included network clock such as this one. And if you really feel like reading, check out the NSA/CISCO Router Config guide [https://www.cisco.com/E-Learning/bulk/public/celc/CRS/media/targets/resources_mod07/7_3_4_2RSCG.pdf] . The detrimental effect of GPS degradation or loss to ICS’s or even just large scale networks is nothing new. In 2001 a study was done for the U. S. Department of Transportation [https://rntfnd.org/wp-content/uploads/Vople_vulnerability_assess_2001.pdf] on just that very thing. Vulnerabilities Unauthenticated Remote Command Execution The remote web server hosts scripts that fail to adequately sanitize request strings. By leveraging this issue, an attacker may be able to execute arbitrary commands on the remote host. The RT430’s web application exposes an endpoint that allows an unauthenticated attacker could exploit access to this endpoint to inject code into a parameter within the POST request body in order to execute arbitrary commands on the system with ‘root’ permissions. Unauthenticated Device Persistent DoS An unauthenticated attacker can send a request to a specific URL on the device which causes it to become unresponsive. This is a result of the device not fully checking the IP addresses being set on the device. Unauthenticated Password Change for Configuration User The RT430’s web application exposes an endpoint that allows an unauthenticated attacker to change the password for the ‘configuration’ user account. The attacker could then reconfigure the device using the ‘configuration’ account along with the new credentials created. Web Authentication is Checked Client-side in Browser An attacker could bypass authentication in the web application by manipulating areas of the website’s Javascript code that are presented in the web browser. The RT430’s web application appears to perform some authentication checking on the client side (browser) in some areas of the web application, which is easy to bypass. An attacker could exploit this access to reconfigure the device. Unauthenticated Remote Device Reboot The RT430’s web application exposes an endpoint that allows an unauthenticated attacker to access to this endpoint to the reboot the system via a GET request. How to Fix? Update to latest patch [https://www.gegridsolutions.com/app/ViewFiles.aspx?prod=RT430&type=7] (duh).

--

--