OTPulse
FeedAboutContact

GE Hydran M2 Predictable TCP Initial Sequence Vulnerability

Low RiskICS-CERT ICSA-15-041-02Nov 13, 2015
Summary

The GE Hydran M2 uses predictable TCP initial sequence numbers (ISNs) in its connection establishment process. An attacker with network access could predict these sequences and conduct TCP session hijacking or man-in-the-middle attacks against active connections, potentially allowing command injection or traffic manipulation without authentication.

What this means
What could happen
An attacker on the same network could predict TCP connection sequences to the Hydran M2, potentially enabling session hijacking or man-in-the-middle attacks that could interfere with water treatment or monitoring functions.
Who's at risk
Water utilities and municipal authorities operating GE Hydran M2 control devices. This device is commonly used for water treatment plant monitoring and control. Affected systems remain in use despite the age of this advisory.
How it could be exploited
An attacker with network access to the Hydran M2 could analyze TCP initial sequence numbers to predict future sequences. By predicting the sequence numbers, the attacker could forge TCP packets to hijack an existing connection or inject commands into active sessions without needing to see the actual traffic.
Prerequisites
  • Network access to the Hydran M2 device
  • Ability to observe or measure multiple TCP connections to the device
No patch availableRemotely exploitable via TCPAffects legacy/end-of-life equipmentPredictable cryptographic function
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
Hydran M2: <October_2014<October 2014No fix (EOL)
Remediation & Mitigation
0/3
Do now
0/1
HARDENINGRestrict network access to the Hydran M2 to only authorized engineering workstations and control systems
Mitigations - no patch available
0/2
Hydran M2: <October_2014 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIsolate the Hydran M2 device from untrusted networks using network segmentation (firewall rules, VLAN isolation, or air-gapping)
HARDENINGMonitor network traffic to and from the Hydran M2 for suspicious activity, such as unexpected connections or session hijacking attempts
View full CISA ICS-CERT advisory
โ†‘โ†“ Navigate ยท Esc Close
API: /api/v1/advisories/2d7a8a8d-effe-45ce-b3c8-2602e64815a2