Protection, automation, and bay control systems are used in the electrical power industry to enhance the efficiency and reliability of substations. These solutions depend on real-time monitoring to quickly spot problems in the power grid. Any disruption to this monitoring could hinder their detection and reaction to problems, making the grid vulnerable to widespread blackouts.
While analyzing the SEL-451 by Schweitzer Engineering Laboratories, our security research team found five vulnerabilities that when chained could lead to a DoS condition, disrupting its ability to monitor the power grid. Threat actors could gain access by either bypassing authentication or tricking a victim with credentials into clicking on a malicious link, and then abuse another vulnerability that allows them to disable it for an arbitrary amount of time. SEL has acknowledged the discovered flaws and solved them in their latest official firmware releases.
In this blog, we’ll introduce some basics of the SEL-451, explain the impacts of the vulnerabilities we found, along with a detailed analysis of the most important ones. Lastly, we’ll share recommendations for how asset owners can remediate these issues. This is the latest of a series of analyses done on SEL equipment, where we found vulnerabilities in Real Time Automation Controllers and engineering workstations.
The SEL-451 Protection, Automation, and Bay Control System
As mentioned above, protection, automation, and bay control systems help ensure the reliability, efficiency, and safety of electrical power systems. These interconnected systems monitor, control, and protect the power grid, ensuring a seamless supply of electricity to consumers.
Protection systems are the first line of defense against faults and disturbances in power systems, which can range from short circuits and overloads to more severe events like insulation failures. The primary goal of protection systems is to swiftly detect these anomalies and isolate the affected part of the system to prevent widespread outages and equipment damage.
The SEL-451 is a standalone system that provides complete substation bay control in a single device. It’s comprised of a two-breaker control and high-speed breaker failure detection, with integrated high-impedance fault detection and overcurrent protection systems. Motor-operated switches, capacitor banks, and field I/O can be controlled either from the relay front panel or remotely through an Ethernet network via the Telnet command line interface.
The device offers the option to enable an HTTP web application. Read-only pages show a subset of the available settings, metering, and status reports, while an active webpage shows firmware upgrades. This firmware upgrade page allows users to upload a new firmware image to the device and start the upgrade process from a web browser.
The vulnerabilities discovered through our research were found in this HTTP web application. Below, we discuss the impacts enabled by these vulnerabilities along with possible attack vectors. Then, we provide the full list of identified vulnerabilities, a focus on the most relevant ones, and the available remediations.
What Are the Impacts of These Vulnerabilities?
The impacts enabled by the five vulnerabilities we found can mostly be classified into two groups:
- Authentication bypass: a malicious actor without proper authentication may circumvent the web interface login page in three ways, gaining access with the privileges of an authorized user. This intrusion is possible for attackers within the network as well as remote internet adversaries who trick a user with a browsing session on the device into clicking on a link or visiting a malicious page.
- Denial-of-Service: an attacker can take advantage of two weaknesses in the web interface, located in separate functions within the authenticated section of the web application, to force the device into a DoS state. Notably, the exploitation of one of these weaknesses causes the device to become "disabled," rendering it nonfunctional and inoperative for an arbitrary amount of time.
These vulnerabilities can be easily chained. An internet attacker could initiate the assault by circumventing the authentication through a sent link. Upon obtaining authenticated access, the attacker may exploit one of the other two vulnerabilities to trigger the DoS on the device, rendering it incapable of monitoring and safeguarding the power grid.
Vulnerability List and Affected Versions
The following table lists all vulnerabilities found, ordered by CVSS v3.1 base score.
All CVEs affect the entire family of SEL-451 devices and the same firmware versions:
- from R315-V0 before R315-V4
- from R316-V0 before R316-V4
- from R317-V0 before R317-V4
- from R318-V0 before R318-V5
- from R320-V0 before R320-V3
- from R321-V0 before R321-V3
- from R322-V0 before R322-V3
- from R323-V0 before R323-V5
- from R324-V0 before R324-V4
- from R325-V0 before R325-V3
- from R326-V0 before R326-V1
- from R327-V0 before R327-V1
Vulnerability Spotlight and Technical Details
The series of vulnerabilities that we uncovered could allow an attacker to bypass authentication on the management web interface and induce a DoS condition on the SEL-451. The same outcome can also be achieved by luring a victim into clicking on a link or visiting a malicious page.
In this section, we describe the three most relevant vulnerabilities found in our analysis and that can be used in the aforementioned chains to disable the device.
CVE-2023-31176: Insufficient Entropy
We found CVE-2023-31776 in the generation algorithm of the session token that tracks a user's session through the web application and is included in all authenticated requests to the device.
In information theory, the entropy of a value quantifies the total information it encapsulates. The length of the session token varies between 24 and 31 characters, and the character space is the one of a URL-safe Base64 (thus, 6 bits per character). On paper, the maximum entropy should range from 144 to 186 bits, and these figures are comfortably higher than the recommended 80-bit minimum needed to guard against all sorts of brute-force attacks.
After collecting tens of millions of tokens, we noticed that the majority of them resulted in duplicates and presented evident patterns. This led to us being able to reduce the actual amount of entropy to between 18 and 21 bits, depending on its length. And, in testing another instance of the same device model, we quickly realized that different devices generate the same set of tokens.
Considering that the SEL-451 can process up to 4000 reqs/min, we concluded that an attacker could successfully perform a session token brute-force attack and bypass the authentication process and that it could take them between 30 minutes and 4 hours. With these values, attacks like this one may be achievable in a real-world scenario, depending on the final installation and usage context.
CVE-2023-34389: Allocation of Resources Without Limits or Throttling
This CVE was discovered while testing the device firmware update, where we noticed that the device enters a disabled state as soon as the upload of the firmware package begins. In this state, all physical buttons on the device are unresponsive, the update of control outputs does not occur, and the device offers limited functionality through the exposed network services.
While conducting fuzzing tests on the HTTP request used for uploading images, we discovered a notable discrepancy: the device does not impose the same size restrictions on the upload package as it does for other management services it offers, such as FTP. Surprisingly, it's willing to accept file uploads of sizes up to several gigabytes, which could take hours to complete.
With this lack of size restrictions, an attacker could exploit the device by uploading a large file to keep it disabled and unusable for an extended period of time. The only way to restore the device to normal operation would be to interrupt the upload process by force, such as by restarting the device or severing the network connection.
CVE-2023-31177: Improper Neutralization of Input During Web Page Generation
A variant of the chain described above could have been enacted by replacing the first flaw (CVE-2023-31176) with CVE-2023-31177, if the attacker was not to have direct connectivity with the target device. This vulnerability is due to a poorly sanitized input field that eventually ends in an innerHTML sink, resulting in a DOM-Based Cross-Site Scripting (XSS).
In this scenario, the DoS condition could have been generated by sending a link to a victim (likely an engineer) and by tricking them into clicking on it while having an active session to the device, or by inducing them to visit a malicious page. Of course, an attacker in this position may also obtain other impacts, such as theft of sensitive data, manipulation of view, or spread of malicious content.
SEL has developed multiple official firmware updates (one per supported release branch) that fix all reported vulnerabilities. Please refer to the section “Vulnerability List and Affected Versions” of this blog for more details.