23 May 2018

Serious vulnerability fixed in PACSystems industrial controllers

A range of General Electric PACSystems industrial controllers are affected by a serious vulnerability. Its successful exploitation could cause the device to reboot and change its state, causing it to become unavailable.

The issue (CVE-2018-8867) has to do with improper input data validation, making it possible to carry out successful attacks on the device by sending specially crafted packets to it. A CVSS v.3 base score of 7.5 has been calculated for the vulnerability.

The vulnerability affects the following PACSystems controller models:

  • RX3i CPE305/310 version 9.20 and earlier,
  • RX3i CPE330 version 9.21 and earlier,
  • RX3i CPE 400 version 9.30 and earlier,
  • RSTi-EP CPE 100 (all versions);
  • CPU320/CRU320 (all versions);
  • RXi (all versions).

General Electric has released firmware updates to mitigate the vulnerability and made them available on its website. The company recommends installing the relevant updates as soon as possible.

Source: ICS-CERT