OTPulse
FeedAboutContact

GE Bently Nevada 3500/22M Improper Authorization Vulnerability

Act Now10ICS-CERT ICSA-16-252-01Jun 12, 2016
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

GE Bently Nevada 3500/22M monitoring units (both USB and serial versions) contain an improper authorization flaw in the authentication mechanism. An attacker can bypass access controls without credentials and modify device configuration, setpoints, or monitoring parameters. All firmware versions are affected and the vendor has not released a patch. The device is used for vibration and condition monitoring on rotating machinery and is typically installed in power generation, petrochemical, and industrial facilities.

What this means
What could happen
An attacker with network access to the Bently Nevada 3500/22M monitoring unit could bypass authentication controls and gain unauthorized access to alter vibration setpoints, disable alarms, or stop equipment monitoring—potentially allowing dangerous machinery to operate undetected.
Who's at risk
Operators of critical rotating machinery monitoring systems should care: this affects vibration monitoring units used in power plants, refineries, compressor stations, and pumping facilities. The GE Bently Nevada 3500/22M is a condition monitoring device that detects bearing wear and equipment faults—loss of integrity could mask equipment failures until catastrophic failure occurs.
How it could be exploited
An attacker sends specially crafted network requests to the device without valid credentials. The device does not properly verify authorization, allowing the attacker to directly access and modify monitoring configurations or operational parameters. This could be exploited over the network if the device is connected to an engineering workstation or control system network.
Prerequisites
  • Network access to the Bently Nevada 3500/22M on port 502 or standard service ports
  • No valid credentials required
remotely exploitableno authentication requiredlow complexityno patch availableaffects safety/monitoring systemscritical CVSS score (10.0)
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
GE Bently Nevada 3500/22M (USB version) Firmware: <5.0<5.0No fix (EOL)
GE Bently Nevada 3500/22M (serial version): vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGImplement network segmentation: isolate the Bently Nevada 3500/22M on a dedicated VLAN with firewall rules that restrict access to only authorized engineering workstations and monitoring systems
WORKAROUNDDisable remote network access to the device if not operationally required; use serial-only configuration and air-gap the unit from networked systems
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HARDENINGImplement a stateful firewall or industrial demilitarized zone (DMZ) between any Bently Nevada units and corporate networks or untrusted networks
HARDENINGMonitor all network traffic to and from the Bently Nevada 3500/22M for unauthorized access attempts or configuration changes
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/cfd1b30a-f060-4217-bc5a-3a3015cc150d
GE Bently Nevada 3500/22M Improper Authorization Vulnerability | CVSS 10 - OTPulse