Schweitzer Engineering Laboratories Improper Input Validation

Low RiskICS-CERT ICSA-13-219-01May 10, 2013

Summary

Schweitzer Engineering Laboratories SEL-3530, SEL-3530-4, SEL-3505, and SEL-2241 protective relays contain an improper input validation vulnerability (CWE-20) in their communication handlers. A remote attacker can send specially crafted input to these devices, causing them to process data unexpectedly. The vulnerability affects multiple firmware versions spanning from 2009 through January 2013. Vendors have not released patches for these end-of-life products.

What this means

What could happen

An attacker who sends specially crafted input to a vulnerable SEL relay device could cause improper processing, potentially leading to denial of service or unexpected relay behavior that disrupts power distribution or protection operations.

Who's at risk

Electric utilities and distributed power systems operators relying on SEL-3530, SEL-3530-4, SEL-3505, or SEL-2241 protective relays for substation automation, feeder protection, or generator protection are affected. These relays control circuit breakers and protection logic critical to grid stability.

How it could be exploited

An attacker with network access to the relay's communication port could send malformed commands or data packets that bypass input validation. The relay would process the invalid input unexpectedly, potentially crashing the device or causing it to malfunction.

Prerequisites

Network access to the relay's communication port (502 for Modbus or proprietary SEL protocol port)
Knowledge of the relay's expected command format to craft bypassing input

Remotely exploitable via networkNo authentication required for basic relay accessNo patch available (end-of-life products)Affects safety/protection systemsLow complexity attack

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (4)

4 EOL

ProductAffected VersionsFix Status

SEL: >=SEL-3530-R100-V0-Z001001-D20090915|<=SEL-3530-R123-V0-Z002001≥ SEL-3530-R100-V0-Z001001-D20090915|≤ SEL-3530-R123-V0-Z002001No fix (EOL)

SEL: >=SEL-3505-R119-V0-Z001001-D20120720|<=SEL-3505-R123-V0-Z002001-D20130117≥ SEL-3505-R119-V0-Z001001-D20120720|≤ SEL-3505-R123-V0-Z002001-D20130117No fix (EOL)

SEL: >=SEL-2241-R113-V0-Z001001-D20110721|<=SEL-2241-R123-V0-Z002001-D20130117≥ SEL-2241-R113-V0-Z001001-D20110721|≤ SEL-2241-R123-V0-Z002001-D20130117No fix (EOL)

SEL: >=SEL-3530-4-R107-V0-Z001001-D20100818|<=SEL-3530-4-R123-V0-Z002001-D20130117≥ SEL-3530-4-R107-V0-Z001001-D20100818|≤ SEL-3530-4-R123-V0-Z002001-D20130117No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate affected SEL relays from untrusted network segments using firewall rules or network segmentation to restrict access to authorized engineering workstations and RTU/SCADA systems only

WORKAROUNDDisable unnecessary communication protocols (such as Modbus or remote access features) if not required for normal operation

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor relay communication logs and counters for signs of malformed input attempts or unusual activity patterns

Long-term hardening

0/1

HOTFIXPlan replacement of affected end-of-life relays with current SEL models that include input validation improvements

CVEs (2)

CVE-2013-2792 CVE-2013-2798

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/58ba963d-916b-45d8-935e-ddae1aa253cc