As cities continue to grow and evolve, so do the challenges of managing their complex infrastructure. At the heart of smart cities are advanced systems and devices that collect and process real-time data from various sources, including power substations. Notably, substation Remote Terminal Units (RTUs) play a crucial role in the smart city ecosystem: from monitoring power consumption to optimizing energy distribution, they are becoming an indispensable tool for cities looking to improve their infrastructure and efficiently monitor and manage resources.
Schweitzer Engineering Laboratories (SEL) is a company that specializes in designing and manufacturing electronic systems and components for the power industry. SEL products and services include protection, automation, and control solutions for power systems, as well as communication and cybersecurity technologies. The company’s customers range from utilities and power plant operators to industrial facilities and data centers.
Nozomi Networks Labs had the opportunity to test a SEL-3350 computing platform running the SEL Realtime Automation Controller (RTAC) suite. In this blog, we disclose 19 vulnerabilities that affect the web interface of the RTAC platform, available in the SEL-2241, SEL-3530, SEL-3530-4, SEL-3505, SEL-3505-3, SEL-3532-1, SEL-3532-4, SEL-3350, SEL-3555, and SEL-3560. The issues could have allowed an attacker to obtain unauthorized access to the web interface, alter displayed information, manipulate its logic, perform Man-in-the-Middle (MitM) attacks, or execute arbitrary code. Nozomi Networks Labs alerted SEL about these vulnerabilities in November 2022. SEL responded by sharing details of the vulnerabilities and providing firmware update instructions in an SEL Service Bulletin dated 11/15/22 that was disseminated to affected customers.
SEL RTAC Vulnerabilities Found
While analyzing the web-based HMI of the SEL RTAC, we found nineteen vulnerabilities, as listed below:
Critical risk:
- CVE-2023-31148: Improper Input Validation (CWE-20), CVSS v3.1 Base Score: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
- CVE-2023-31149: Improper Input Validation (CWE-20), CVSS v3.1 Base Score: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
High risk:
- CVE-2023-31150: Storing Passwords in a Recoverable Format (CWE-257), CVSS v3.1 Base Score: 8.0 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)
Medium risk:
- CVE-2023-31151: Improper Certificate Validation (CWE-295), CVSS v3.1 Base Score: 4.7 (AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N)
- CVE-2023-31152: Authentication Bypass Using an Alternate Path or Channel (CWE-288), CVSS v3.1 Base Score: 4.7 (AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N)
- CVE-2023-31153: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) (CWE-79), CVSS v3.1 Base Score: 4.3 (AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L)
- CVE-2023-31154: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) (CWE-79), CVSS v3.1 Base Score: 4.3 (AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L)
- CVE-2023-31155: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) (CWE-79), CVSS v3.1 Base Score: 4.3 (AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L)
- CVE-2023-31156: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) (CWE-79), CVSS v3.1 Base Score: 4.3 (AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L)
- CVE-2023-31157: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) (CWE-79), CVSS v3.1 Base Score: 4.3 (AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L)
- CVE-2023-31158: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) (CWE-79), CVSS v3.1 Base Score: 4.3 (AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L)
- CVE-2023-31159: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) (CWE-79), CVSS v3.1 Base Score: 4.3 (AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L)
- CVE-2023-31160: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) (CWE-79), CVSS v3.1 Base Score: 4.3 (AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L)
- CVE-2023-31161: Improper Input Validation (CWE-20), CVSS v3.1 Base Score: 4.3 (AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L)
- CVE-2023-31163: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) (CWE-79), CVSS v3.1 Base Score: 4.3 (AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L)
- CVE-2023-31164: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) (CWE-79), CVSS v3.1 Base Score: 4.3 (AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L)
- CVE-2023-31165: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) (CWE-79), CVSS v3.1 Base Score: 4.3 (AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L)
- CVE-2023-31166: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) (CWE-22), CVSS v3.1 Base Score: 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Low risk:
- CVE-2023-31162: Improper Input Validation (CWE-20), CVSS v3.1 Base Score: 3.8 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L)
Impacts
The most impactful vulnerabilities are CVE-2023-31148, CVE-2023-31149, and CVE-2023-31150.
- CVE-2023-31148 and CVE-2023-31149 are two authenticated command injection issues that can allow any user with network write privileges to execute commands on the underlying OS as root. During the test, we successfully exploited both vulnerabilities to obtain a root reverse shell on the device.
- CVE-2023-31150 is a vulnerability induced by the storage of user passwords in an additional, legacy encrypted format that proved to be reversible. Any user with access to the underlying OS could retrieve the cleartext versions of the credentials encrypted in the system. If these credentials are re-used in other devices, access to those devices with full privileges is granted.
To exploit these bugs some form of authenticated access is needed, but this requirement can be circumvented by leveraging one of the other vulnerabilities. For instance, we noticed that many of the found Cross-Site Scripting (XSS) flaws could be stored and exploitable by unprivileged remote attackers by tricking an authenticated user into clicking on a single link or browse a malicious webpage. If the attacker has the opportunity to be in the middle of the communications between the device and an upstream server to proxy, CVE-2023-31151 could allow them to avoid the social engineering phase, and poison the responses with arbitrary HTML/JavaScript code, even in the presence of a TLS-protected communication.
Worst case scenario, by chaining some of these vulnerabilities and performing a multi-step attack, an unauthenticated remote attacker could alter the core functionality of the device, allowing them to tamper with the information shown to operators or the configuration of the device itself. Additionally, access to all other systems protected by the same credentials could be acquired, allowing them to easily move laterally in the power infrastructure.
Remediations
We recommend that asset owners quickly apply the updated firmware described in an SEL Service Bulletin dated 11/15/2022 and distributed by SEL to affected customers (or apply more recent firmware releases), to prevent any abuse of the systems by unauthorized threat actors.
Summary
Substation RTUs play a critical role in the development and implementation of smart city solutions. By providing real-time data and analytics, they enable cities to make informed decisions about their energy infrastructure, which can lead to significant improvements in efficiency, sustainability, and resilience. The integration of substation RTUs into smart city networks has already resulted in benefits, such as reduced energy consumption, improved outage response times, and better asset management, but, as with other smart devices, has also resulted in new opportunities for cyber adversaries.
In this article, we have unveiled 19 vulnerabilities that affected the web interface of the SEL RTAC platform and that could have resulted in unauthorized access, data modification, and other impacts. We urge asset owners to apply the available firmware upgrade to prevent adversaries from exploiting these vulnerabilities.