CVE-2020-25193 : Security Advisory and Response

GE Reason RT43X Clocks Use of Hard-coded Cryptographic Key

Understanding CVE-2020-25193

This CVE involves vulnerabilities in GE Reason RT43X Clocks due to the use of a hard-coded cryptographic key in firmware versions prior to 08A06.

What is CVE-2020-25193?

Attackers exploiting this vulnerability can intercept and decrypt encrypted traffic through an HTTPS connection by accessing the hard-coded cryptographic key for GE Reason RT430, RT431 & RT434 GNSS clocks.

The Impact of CVE-2020-25193

CVSS Score: 5.3 (Medium Severity)
Attack Vector: Network
Confidentiality Impact: Low
Integrity Impact: None
Privileges Required: None
This vulnerability does not impact availability.

Technical Details of CVE-2020-25193

Vulnerability Description

The vulnerability arises from the presence of a hard-coded cryptographic key in GE Reason RT43X Clocks' firmware versions before 08A06.

Affected Systems and Versions

Affected Product: Reason RT43X Clocks
Vendor: GE
Affected Versions: Firmware versions prior to 08A06

Exploitation Mechanism

Attackers can exploit this vulnerability by gaining access to the hard-coded cryptographic key, allowing them to decrypt encrypted traffic over HTTPS connections.

Mitigation and Prevention

Immediate Steps to Take

Update Reason RT43X products to firmware Version 08A06 or higher as recommended by GE.
Evaluate current risks and implement network security measures to mitigate potential threats.

Long-Term Security Practices

Use strong network and physical security measures to prevent unauthorized access.
Block TCP/IP Ports 80 and 443 to prevent HTTP/HTTPS access to the web interface of Reason RT43X products.
Minimize network exposure for control system devices and ensure they are not accessible from the Internet.
Monitor security events to detect any unusual traffic or communication.

Patching and Updates

Ensure that all affected Reason RT43X products are updated to firmware Version 08A06 or above to address the vulnerabilities.