GE PACSystems CPE305/310, CPE330, CPE400, RSTi-EP CPE 100, CPU320/CRU320, RXi

Plan PatchCVSS 7.5ICS-CERT ICSA-18-137-01May 17, 2018

Energy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The vulnerability is caused by improper input validation in GE PACSystems and RSTi-EP CPUs. An attacker who can reach the device on the network can send a crafted message that causes the device to reboot and change state, rendering it unavailable. This affects PACSystems CPE305/310/330/400, RSTi-EP CPE100, CPU320/CRU320, and RXi models. GE has released firmware updates for CPE305, CPE310, CPE330, and CPE400. CPU320/CRU320 is end-of-life with no patch available; GE recommends migration to supported models. CPE100 firmware is available from GE Digital support.

What this means

What could happen

An attacker on the network can send a specially crafted message that causes the PLC to reboot and change operational state, making it unavailable until manually recovered. This will interrupt whatever process the PLC is controlling.

Who's at risk

Energy sector operators running GE PACSystems or RSTi-EP programmable logic controllers (PLCs) for process control, SCADA systems, or critical infrastructure automation should assess their inventory. All models listed (CPE305, CPE310, CPE330, CPE400, CPE100, CPU320/CRU320, RXi) are affected regardless of firmware version for most models.

How it could be exploited

An attacker with network access to the PLC can send a malformed input that fails input validation, triggering a reboot. The attacker does not need credentials or authentication—any network-connected device can send the malicious message directly to the PLC.

Prerequisites

Network access to the PLC on its service port or network interface
No credentials required

Remotely exploitable over the networkNo authentication requiredLow complexity attackPLCs with end-of-life status (CPU320/CRU320) cannot be patched

Exploitability

Some exploitation risk — EPSS score 2.8%

Affected products (5)

1 with fix3 pending1 EOL

ProductAffected VersionsFix Status

RX3i CPE 400:≤ 9.30No fix yet

PACSystems RSTi-EP CPE 100: all versionsAll versionsNo fix yet

RX3i CPE330:≤ 9.21No fix yet

PACSystems RX3i CPE305/310:≤ 9.209.40

PACSystems CPU320/CRU320 and RXi: all versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/9

Do now

0/3

HARDENINGIsolate all PLC networks from the business network using a firewall or air gap

HARDENINGEnsure PLCs are not reachable from the Internet or untrusted networks

WORKAROUNDIf remote access to PLCs is required, restrict it through a VPN or terminal server with strong authentication

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade PACSystems RX3i CPE305 firmware to version 9.40 or later (CPE305_FW9_40_41G1733-MS10-000-A17.zip or newer)

HOTFIXUpgrade PACSystems RX3i CPE310 firmware to version 9.40 or later (CPE310_FW9_40_41G1734-MS10-000-A17.zip or newer)

HOTFIXUpgrade PACSystems RX3i CPE330 firmware to version 9.40 or later (CPE330_FW9_40_41G2016-FW01-000-A11.zip or newer)

HOTFIXUpgrade PACSystems RX3i CPE400 firmware to version 9.40 or later (CPE400_FW9_40_41G2376-FW01-000-A3.zip or newer)

HOTFIXUpgrade RSTi-EP CPE100 to the latest available firmware from GE Digital support

Mitigations - no patch available

0/1

PACSystems CPU320/CRU320 and RXi: all versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGFor end-of-life CPU320/CRU320 units, plan migration to a supported RX3i or RSTi-EP model

CVEs (1)

CVE-2018-8867

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fccae455-c414-486f-b688-21ca85d92d91

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.