General Electric MiCOM S1 Agile Vulnerability
By Arthur Yamamoto on December 7, 2023
Executive summary
On Tuesday, November 07, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released an industrial control system advisory (ICSA-23-311-01) regarding a vulnerability of General Electric’s MiCOM S1 Agile Engineering Tool Suite. Micom S1 Agile is a universal intelligent electronic device (IED) engineering tool suite for MiCOM P40 Agile relays and provides integrated configuration and monitoring features for all MiCOM devices. Sushant Mane, Anooja Joy & Dr. Faruk Kazi from CoE-CNDS Lab notified the CISA about the vulnerability, which could allow an attacker to upload malicious files and achieve code execution if exploited.
Background
On Tuesday, November 07, 2023, Sushant Mane, Anooja Joy & Dr. Faruk Kazi from CoE-CNDS Lab reported a vulnerability in General Electric’s MiCOM S1 Agile Engineering Tool Suite to CISA. The following versions of General Electric MiCOM S1 Agile are affected:
MiCOM S1 Agile: All versions
The exposure was identified as an Uncontrolled Search Path Element vulnerability. It was assigned a common vulnerabilities and exposures (CVE) number, CVE-2023-0898. The software is used worldwide in a multitude of services and sectors, most notably in some critical infrastructure sectors, none of which have been identified for security purposes.
Vulnerabilities
CVE-2023-0898 is considered a medium threat level and maps to the common weakness enumeration ID of 427 (CWE-427), which states that this vulnerability is frequently introduced when a product uses a directory search path to find executables or code libraries, but the path contains a directory that can be modified by an attacker, such as “/tmp” or the current working directory. The flaw in the General Electric MiCOM S1 Agile software enables the attacker to achieve code execution by placing malicious DLL files in the directory of the application. The impact can range from malware execution to an attacker gaining full control over a compromised machine. This is not considered exploitable remotely; an attacker would need to inject these files manually, and no known public exploits target this vulnerability.
Significance
Malicious code execution can allow an attacker to access the system and expose other systems, sensitive data, and valuable information assets, potentially opening the door to privilege escalation. General Electric has released an update that resolves this vulnerability, and the user requires no action. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also recommends users take the following measures to protect themselves from social engineering attacks:
Do not click web links or open attachments in unsolicited email messages.
Avoiding Email Scams.
Avoiding Social Engineering and Phishing Attacks.
References
GE Micom S1 agile: CISA. Cybersecurity and Infrastructure Security Agency CISA. (2023, November 9). https://www.cisa.gov/news-events/ics-advisories/icsa-23-311-01
GE. (n.d.). S1 Agile. S1 Agile Engineering Tool Suite :: Ge Grid Solutions. https://www.gegridsolutions.com/multilin/catalog/engineering-tool-suite.htm#:~:text=S1%20Agile%20is%20the%20truly,via%20a%20few%20mouse-clicks.
gHale. (2023, November 8). Ge updates Micom S1 Agile. ISSSource. https://www.isssource.com/ge-updates-micom-s1-agile/
NIST. (2023, November 7). CVE-2023-0898 Detail. NVD. https://nvd.nist.gov/vuln/detail/CVE-2023-0898#VulnChangeHistorySection
Common weakness enumeration. CWE. (n.d.).
https://cwe.mitre.org/data/definitions/427.html