28 May 2018

Serious vulnerabilities in TELEM-GW6/GWM data concentrators

Martem TELEM-GW6/GWM data concentrators are affected by serious vulnerabilities. Successful exploitation of the three vulnerabilities identified could allow unauthorized execution of industrial process control commands, denial of service, or client side execution of arbitrary code.

The vulnerabilities affect the following models:

  • GW6 Version 2018.04.18-linux_4-01-601cb47 and prior;
  • GWM Version 2018.04.18-linux_4-01-601cb47 and prior.

This type of equipment is used in the electric power sector for automatic collection of power meter data and simultaneous communication with the control center.

The CVE-2018-10603 vulnerability, which has been assigned the highest possible severity rating – a CVSS v.3 base score of 10 – has to do with missing authentication of IEC-104 control commands. Remote attackers can take advantage of this issue to gain control of the industrial process.

The second vulnerability, CVE-2018-10607, has to do with uncontrolled resource consumption – creating new connections without closing them properly, which may cause a denial of service within the industrial process control channel. A CVSS v.3 base score of 8.2 has been calculated for this vulnerability.

The last issue is an XSS vulnerability (CVE-2018-10609), which can be exploited for client-side execution of arbitrary code with the current user’s privileges. The vulnerability has been assigned a CVSS v.3 base score of 7.4.

The first two vulnerabilities can be eliminated by properly configuring the equipment in accordance with the user manual developed by Martem. To eliminate CVE-2018-10609, the vendor recommends upgrading firmware to version 2.0.73 or higher and protecting web server access with a firewall or removing it from the configuration if it is no longer needed.

Source: ICS-CERT