GE Multilink Switch Vulnerabilities (Update A)

Low RiskICS-CERT ICSA-15-013-04AOct 16, 2015

Summary

GE Multilink switches (ML800/1200/1600/2400 firmware ≤4.2.1 and ML810/3000/3100 firmware ≤5.2.0) contain multiple vulnerabilities: CWE-400 (buffer overflow), CWE-321 (weak cryptographic key handling), and CWE-79 (improper input validation / injection). These flaws allow an attacker with network access to potentially compromise switch functionality, disrupt inter-device communication, or modify switch configuration. No vendor patch is currently available for affected versions.

What this means

What could happen

Network switches in critical water and power infrastructure could be disrupted or misconfigured by an attacker, potentially interrupting communication between control systems and field devices. A successful attack could prevent operators from monitoring or controlling physical equipment.

Who's at risk

Water utilities and electric utilities that rely on GE Multilink network switches (ML800, ML810, ML1200, ML1600, ML2400, ML3000, ML3100 series) for inter-switch communication and control system connectivity. Any facility using these switches for SCADA, RTU, or PLC networks should assess exposure.

How it could be exploited

An attacker with network access to the switch could exploit buffer overflow, weak cryptographic key handling, or cross-site scripting vulnerabilities to gain unauthorized control of the device or inject malicious commands into its configuration.

Prerequisites

Network access to the Multilink switch management interface or data ports
No authentication bypass required for some attack paths (CWE-400, CWE-79 suggest buffer overflow and injection flaws)
Physical proximity or network reachability to the switch

No patch availableremotely exploitableaffects critical infrastructure networksbuffer overflow vulnerability (CWE-400)weak cryptographic key handling (CWE-321)injection vulnerability (CWE-79)

Exploitability

Moderate exploit probability (EPSS 2.0%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

GE Multilink ML800/1200/1600/2400: <=4.2.1≤ 4.2.1No fix (EOL)

GE Multilink ML810/3000/3100 series switch: <=5.2.0≤ 5.2.0No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/4

HARDENINGImplement network segmentation to restrict access to the Multilink switch from untrusted networks; isolate the switch on a dedicated industrial network segment with strict firewall rules

HARDENINGMonitor network traffic to and from the Multilink switch for anomalous activity that could indicate exploitation attempts

WORKAROUNDDisable remote management interfaces on the switch if not required for normal operations

HARDENINGRestrict access to the switch to known engineering workstations and management systems via IP whitelisting

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact GE Vernova to request a patch or security advisory if one becomes available

CVEs (3)

CVE-2014-5418 CVE-2014-5419 CVE-2015-3976

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4d9181e0-6928-452d-8ee3-e156b8297282