CVE-2017-7905

EPSS 0.2%
Veröffentlicht 30.06.2017 03:29:00
Zuletzt bearbeitet 20.04.2025 01:37:25
Quelle ics-cert@hq.dhs.gov
Teams Watchlist Login
Unerledigt Login

A Weak Cryptography for Passwords issue was discovered in General Electric (GE) Multilin SR 750 Feeder Protection Relay, firmware versions prior to Version 7.47; SR 760 Feeder Protection Relay, firmware versions prior to Version 7.47; SR 469 Motor Protection Relay, firmware versions prior to Version 5.23; SR 489 Generator Protection Relay, firmware versions prior to Version 4.06; SR 745 Transformer Protection Relay, firmware versions prior to Version 5.23; SR 369 Motor Protection Relay, all firmware versions; Multilin Universal Relay, firmware Version 6.0 and prior versions; and Multilin URplus (D90, C90, B95), all versions. Ciphertext versions of user passwords were created with a non-random initialization vector leaving them susceptible to dictionary attacks. Ciphertext of user passwords can be obtained from the front LCD panel of affected products and through issued Modbus commands.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 4 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Ge ≫ Multilin Sr 750 Feeder Protection Relay Firmware Version <= 5.02

Ge ≫ Multilin Sr 750 Feeder Protection Relay Version-

Ge ≫ Multilin Sr 760 Feeder Protection Relay Firmware Version <= 5.02

Ge ≫ Multilin Sr 760 Feeder Protection Relay Version-

Ge ≫ Multilin Sr 469 Motor Protection Relay Firmware Version <= 2.90

Ge ≫ Multilin Sr 469 Motor Protection Relay Version-

Ge ≫ Multilin Sr 489 Generator Protection Relay Firmware Version <= 1.53

Ge ≫ Multilin Sr 489 Generator Protection Relay Version-

Ge ≫ Multilin Sr 745 Transformer Protection Relay Firmware Version <= 2.85

Ge ≫ Multilin Sr 745 Transformer Protection Relay Version-

Ge ≫ Multilin Sr 369 Motor Protection Relay Firmware Version-

Ge ≫ Multilin Sr 369 Motor Protection Relay Version-

Ge ≫ Multilin Universal Relay Firmware Version <= 6.0

Ge ≫ Multilin Universal Relay Version-

Ge ≫ Multilin Urplus D90 Firmware Version-

Ge ≫ Multilin Urplus D90 Version-

Ge ≫ Multilin Urplus C90 Firmware Version-

Ge ≫ Multilin Urplus C90 Version-

Ge ≫ Multilin Urplus B95 Firmware Version-

Ge ≫ Multilin Urplus B95 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.2%	0.386

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-261 Weak Encoding for Password

Obscuring a password with a trivial encoding does not protect the password.

CWE-326 Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

CWE-330 Use of Insufficiently Random Values

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

CWE-522 Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

http://www.securityfocus.com/bid/98063

Third Party Advisory

VDB Entry

https://ics-cert.us-cert.gov/advisories/ICSA-17-117-01A

Patch

Third Party Advisory

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2017-7905

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-7905

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-7905

EUVD