Schweitzer Engineering Laboratories, Inc. Compass and AcSELerator Architect

Plan Patch8.2ICS-CERT ICSA-18-191-02Jul 10, 2018

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Improper file permissions and insecure XML parsing in SEL Compass and AcSELerator Architect allow a local user to modify or replace relay configuration files, extract sensitive settings, or cause denial of service. Affected versions: Compass ≤3.0.5.1, AcSELerator Architect ≤2.2.24.0. CWE-276 (incorrect default permissions), CWE-611 (improper XML processing), CWE-400 (denial of service).

What this means

What could happen

An attacker with local access to a Compass or AcSELerator workstation could modify or replace critical configuration files, extract sensitive relay settings or network information, or crash the engineering software—disrupting relay configuration and commissioning activities.

Who's at risk

Electric utilities and large industrial facilities that use SEL relays and use Compass or AcSELerator for relay configuration and commissioning. Specifically, the engineering teams that maintain, configure, and deploy SEL protective relays (e.g., 735G, UR/UREG series, or other SEL devices controlled via these tools).

How it could be exploited

An attacker must first gain local access to an engineering workstation running Compass or AcSELerator. Once logged in with standard user privileges, they can exploit file permission issues or XML parsing flaws to either modify relay settings files stored in the application directory, extract sensitive configuration data, or trigger a denial-of-service condition that halts the software.

Prerequisites

Local access to the engineering workstation
Low-privilege user account (standard user, not administrator)
Compass version 3.0.5.1 or earlier OR AcSELerator Architect version 2.2.24.0 or earlier
Compass or AcSELerator software must be installed

Local access required (not remote)Low privilege exploitation possibleAffects engineering/commissioning workstations rather than production devicesNo patch available for versions in the wild until upgrade is performed

Exploitability

Moderate exploit probability (EPSS 5.5%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Compass:≤ 3.0.5.13.0.6.1

AcSELerator Architect:≤ 2.2.24.02.2.29.0 or later

Remediation & Mitigation

0/5

Do now

0/1

HARDENINGRestrict local access to engineering workstations running Compass or AcSELerator—limit user accounts and enforce strong authentication (multi-factor if possible)

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade SEL Compass to version 3.0.6.1 or later

HOTFIXUpgrade SEL AcSELerator Architect to version 2.2.29.0 or later

Long-term hardening

0/2

HARDENINGIsolate the engineering workstation network (DMZ or air-gapped) from the plant network and business network

HARDENINGImplement file integrity monitoring on Compass and AcSELerator installation directories to detect unauthorized modifications

CVEs (3)

CVE-2018-10604 CVE-2018-10600 CVE-2018-10608

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e10e4b80-c291-4ed9-897d-eff76e57bccd