CVE-2021-27420 : What You Need to Know
Learn about CVE-2021-27420 affecting GE UR family firmware. Understand the vulnerability, impact, affected systems, and mitigation steps for enhanced security.
GE UR firmware versions prior to version 8.1x are vulnerable to a security issue related to improper handling of unsupported HTTP verbs in the web server task. This vulnerability can lead to the web server becoming temporarily unresponsive after receiving unsupported HTTP requests.
Understanding CVE-2021-27420
This section provides insights into the nature and impact of the CVE-2021-27420 vulnerability.
What is CVE-2021-27420?
The CVE-2021-27420 vulnerability affects GE UR family devices running firmware versions prior to 8.1x. It arises due to the web server's inability to properly handle unsupported HTTP verbs, resulting in temporary unresponsiveness and inaccessibility.
The Impact of CVE-2021-27420
Although the web server may become temporarily unresponsive, the relay functionality of the device remains effective in other aspects. However, the unresponsiveness can impact access to the web server.
Technical Details of CVE-2021-27420
In this section, we delve into the technical aspects of the CVE-2021-27420 vulnerability.
Vulnerability Description
The vulnerability stems from the web server task's lack of proper handling of unsupported HTTP verbs, causing temporary unresponsiveness and inaccessibility.
Affected Systems and Versions
GE UR family devices running firmware versions prior to 8.1x are affected by this vulnerability.
Exploitation Mechanism
Attackers can exploit this vulnerability by sending a series of unsupported HTTP requests, triggering temporary unresponsiveness in the web server.
Mitigation and Prevention
This section outlines the steps to mitigate and prevent exploitation of CVE-2021-27420.
Immediate Steps to Take
GE strongly recommends updating impacted UR devices to UR firmware Version 8.10 or later to address this vulnerability. Additional mitigations and information can be found in GE Publication Number: GES-2021-004 (login required).
Long-Term Security Practices
To enhance security, GE advises using network defense-in-depth practices for UR IED, such as placing the devices within the control system network's security perimeter and implementing access controls, monitoring, and other mitigating technologies.
Patching and Updates
Users are encouraged to refer to the UR Deployment guide for secure configuration of UR IED and system in addition to updating firmware to the recommended versions.