Beckwith Fixes TCP Initial Sequence Hole

Wednesday, June 3, 2015 @ 11:06 AM gHale


Beckwith Electric released firmware upgrades that mitigate a TCP initial sequence numbers vulnerability in five of six affected products, according to a report on ICS-CERT.

In addition, Beckwith Electric is offering a specific mitigation for the sixth affected product.

RELATED STORIES
IDS Creates New Module to Fix Hole
Rockwell Fixes RSView32 Vulnerability
Schneider Fixes OFS Server Hole
Emerson Fixes SQL Injection Issue

Raheem Beyah, David Formby, and San Shin Jung of Georgia Tech, via a research project partially sponsored by the Georgia Tech National Electric Energy Testing Research and Applications Center, discovered the vulnerability in two of Beckwith Electric’s digital voltage regulator controllers. In response to the reported vulnerability, Beckwith Electric assessed its other products for this vulnerability and identified four similarly affected devices.

The Georgia Tech team tested the upgrades for the M-6200 and the M-6200A devices and validated they resolve the remotely exploitable vulnerability.

The following Beckwith Electric products suffer from the issue:
• M-6200 Digital Voltage Regulator Control, firmware versions prior to Version D 0198V04.07.00
• M-6200A Digital Voltage Regulator Control, firmware versions prior to Version D 0228V02.01.07
• M-2001D Digital Tapchanger Control, firmware versions prior to Version D-0214V01.10.04
• M-6283A Three Phase Digital Capacitor Bank Control, firmware versions prior to Version D-0346V03.00.02
• M-6280A Digital Capacitor Bank Control, firmware versions prior to Version D 0254V03.05.05
• M-6280 Digital Capacitor Bank Control, all firmware versions

Successful exploitation of this vulnerability could result in a denial-of-service condition or session hijacking.

Beckwith Electric is a Largo, FL-based company that supplies products associated with the production, transmission, and distribution of electric power.

The affected products, M-6200 and M-6200A Digital Voltage Regulator Control, are microprocessor-based step-voltage regulator load tapchanger controllers. The M-2001D Digital Tapchanger Control enables stepped voltage regulation. The M-6283A Three Phase Digital Capacitor Bank Control, M-6280A Digital Capacitor Bank Control, and M-6280 Digital Capacitor Bank Control are used for remote capacitor automation, monitoring, and protection. According to Beckwith Electric, the six affected devices see action across the energy sector. Beckwith Electric estimates these products see use primarily in the United States.

The affected devices generate predictable TCP initial sequence numbers that may allow an attacker to predict the correct TCP initial sequence numbers from previous values, which may allow an attacker to spoof TCP connections.

CVE-2014-9201 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.8.

No known public exploits specifically target this vulnerability. An attacker with medium skill would be able to exploit this vulnerability.

Beckwith Electric has developed firmware upgrades that resolve the predictable TCP initial sequence numbers vulnerability in all the affected products except for the M-6280 Digital Capacitor Bank Control. Beckwith Electric is offering a specific mitigation for the M-6280 Digital Capacitor Bank Control. Beckwith Electric released a customer notification at becoconnect.com for users with a valid account.

For firmware upgrades and the mitigation for the M-6280, contact Beckwith Electric’s Customer Technical Support at (727) 544-2326 or via email.