The Nozomi Networks Labs team recently investigated the two main software applications developed by Schweitzer Engineering Laboratories (SEL): SEL-5030 acSELeratorQuickSet and SEL-5037 GridConfigurator. These applications, often installed on Windows workstations, are used by engineers or technicians to commission, configure, and monitor SEL devices.
Our research and analysis led to the discovery of 9 new vulnerabilities affecting QuickSet and Grid Configurator.
The most severe of those 9 vulnerabilities would allow a threat actor to facilitate remote code execution (RCE) on an engineering workstation. As both SEL software offerings include a wide range of functionalities that help asset owners and system operators efficiently supervise and manage complex infrastructures, their exploitation could allow a threat actor to alter the logic of all SEL devices controlled by either software application. Previous vulnerability research was published in May 2023, “19 New Vulnerabilities Found in SEL Real Time Automation Controllers.”
In response to our disclosure, SEL released software patches for both the QuickSet and Grid Configurator applications. Both versions are available for download on SEL’s official website. For Nozomi Networks customers, our Threat Intelligence service has been updated to provide protection against these newly discovered vulnerabilities.
SEL Vulnerabilities Found
Below is a list of all 9 vulnerabilities discovered by Nozomi Networks Labs, ranked by severity:
High risk:
- CVE-2023-31175: Execution with Unnecessary Privileges (CWE-250), CVSS v3.1 Base Score 8.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
- CVE-2023-34392: Missing Authentication for Critical Function (CWE-306), CVSS v3.1 Base Score 8.2 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)
- CVE-2023-31173: Use of Hard-coded Credentials (CWE-798), CVSS v3.1 Base Score 7.7 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
- CVE-2023-31174: Cross-Site Request Forgery (CSRF) (CWE-352), CVSS v3.1 Base Score 7.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)
Medium risk:
- CVE-2023-31170: Inclusion of Functionality from Untrusted Control Sphere (CWE-829), CVSS v3.1 Base Score 5.9 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N)
- CVE-2023-31171: Improper Neutralization of Special Elements used in an SQL Command ('SQLInjection') (CWE-89), CVSS v3.1 Base Score 5.9 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N)
- CVE-2023-31172: Incomplete Filtering of Special Elements (CWE-791), CVSS v3.1 Base Score 5.9 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N)
- CVE-2023-31168: Inclusion of Functionality from Untrusted Control Sphere (CWE-829), CVSS v3.1 Base Score 5.5 (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N)
- CVE-2023-31169: Improper Handling of Unicode Encoding (CWE-176), CVSS v3.1 Base Score 4.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N)
CVE-2023-31168 to 31172 affect AcSELerator QuickSet up to version 7.1.3.0 (included). CVE-2023-31173 to 31175 and CVE-2023-34392 affect SEL Grid Configurator up to version 4.5.0.20 (included).
Impacts
One of the most severe vulnerabilities of QuickSet, CVE-2023-31171, was located in the software’s import of a device configuration from an external DMX file. An attacker could craft a package which, if imported, would lead to RCE on the engineering workstation with NETWORK SERVICE privileges (Figure 1). However, in systems where both QuickSet and Grid Configurator are installed, this bug could be chained with CVE-2023-31175 (an Elevation of Privilege vulnerability affecting Grid Configurator) to achieve administrative privileges on the target workstation.
There are many vectors through which an attacker may attempt to exploit this vulnerability. For example:
- A threat actor may send a phishing email to a victim engineer with a DMX file attached and use social engineering to convince them into restoring it;
- A malicious insider could attempt to poison copies of DMX files in storage or backup servers and simply wait for them to be restored.
After successfully compromising the engineering workstation, an attacker may use the system, its functionality and connectivity to launch a range of attacks, such as:
- Exfiltration of sensitive data;
- Surveillance or manipulation of the logic executed by target devices;
- Lateral movements, etc.
The next most severe vulnerability, CVE-2023-34392, is caused by an unauthenticated web service exposed on localhost by Grid Configurator. Due to this issue, a specifically crafted client-side script code executed on the engineering workstation while Grid Configurator is open in the background could surreptitiously send commands to target devices.
One of the ways to successfully exploit this vulnerability is via a malicious webpage (Figure 2). The simple act of clicking on a link, in the right conditions, could be enough to change a device configuration unbeknownst to the victim.
However, the social engineering phase of convincing a victim into clicking on a link would be unnecessary if an attacker managed to compromise a website regularly visited by the target. For example, through a stored Cross-Site Scripting (XSS) vulnerability on the legitimate website.
Having reached this stage, an attacker would be able to execute any of the supported commands on a target device by either establishing a new session or injecting commands in an already established session. Finally, the native functionality to clear the terminal history could allow an attacker to cover up and erase their activities, making it more difficult for a target victim to spot any suspicious activity that may have happened in the background on their systems.
Remediations
We urge asset owners to update their software installations of both the QuickSet and Grid Configurator applications to the most recent versions. The vulnerabilities were initially disclosed by SEL to customers in product instruction manual appendices A and E, dated 20230615.