Schweitzer Engineering Labs Software Vulnerabilities expose remote code execution
Take action: Usually SEL tools are on internal systems, so it's not a panic mode. Neverhteless, plan to isolate and lock down these computers and to patch the software in a systematic approach. It's easy to leave them unpatched, but hackers will find it. Like they found an old Windows 7 to be exploited at a UK Ministry of Defence contractor just days ago.
Learn More
Security researchers from Nozomi Networks Labs team conducted a review of two crucial software applications developed by Schweitzer Engineering Laboratories (SEL):
- QuickSet
- GridConfigurator
These applications are used on on Windows workstations by engineers and technicians for commissioning, configuring, and monitoring SEL devices.
Schweitzer Engineering Laboratories, often abbreviated as SEL, is a company operating in the field of electrical power systems and automation. SEL specializes in the design, manufacturing, and support of protection, monitoring, control, and automation products for electric power systems.
The discovered vulnerabilities, could enable a threat actor to execute remote code on an engineering workstation, potentially allowing manipulation of SEL devices' logic controlled by these applications. SEL has already released software patches for both QuickSet and Grid Configurator in response to our disclosure.
Please note that the aggregate severity of the vulerabilities may be higher than the individual ones, since there is a possibility of chaining the exploits to achieve a deep exploit.
- CVE-2023-31175 (CVSS3 score 8.8): Execution with Unnecessary Privileges
- CVE-2023-34392 (CVSS3 score 8.2): Missing Authentication for Critical Function
- CVE-2023-31173 (CVSS3 score 7.7): Use of Hard-coded Credentials
- CVE-2023-31174 (CVSS3 score 7.4): Cross-Site Request Forgery (CSRF)
- CVE-2023-31170 (CVSS3 score 5.9): Inclusion of Functionality from Untrusted Control Sphere
- CVE-2023-31171 (CVSS3 score 5.9): Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- CVE-2023-31172 (CVSS3 score 5.9): Incomplete Filtering of Special Elements
- CVE-2023-31168 (CVSS3 score 5.5): Inclusion of Functionality from Untrusted Control Sphere
- CVE-2023-31169 (CVSS3 score 4.8): Improper Handling of Unicode Encoding
Impacts of these vulnerabilities include the potential for remote code execution and manipulation of logic in target devices. Attack vectors range from phishing emails with malicious attachments to insider threats. After compromising a workstation, attackers could exfiltrate data, manipulate device logic, or move laterally.
Additionally, CVE-2023-34392 exposes an unauthenticated web service, enabling client-side script execution and command sending to target devices, possibly through malicious webpages or compromised legitimate websites.
