Schweitzer Engineering Laboratories SEL-411L

MonitorCVSS 4.3ICS-CERT ICSA-23-341-02Dec 7, 2023

Schweitzer Engineering

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

The SEL-411L relays (R118–R129 series) are vulnerable to clickjacking attacks via the web interface. An attacker can trick an authenticated user into unknowingly performing actions on the relay by embedding the interface within a malicious webpage. Schweitzer Engineering Laboratories has stated patches have been distributed to asset owners; however, the advisory notes "no fix available" for all listed R-series models, indicating either patches are not yet released or these models will not receive fixes. The vulnerability is classified as informational (CWE-1021: Improper Restriction of Rendered UI Layers or Frames).

What this means

What could happen

An attacker could manipulate a user's browser to perform unwanted actions through clickjacking, potentially leading to unauthorized configuration changes or operational decisions if the user is logged into the device's web interface.

Who's at risk

Protection and control relay operators at utilities and industrial facilities using Schweitzer Engineering Laboratories SEL-411L relays (R118–R129 series) for power system protection, monitoring, and automation. This affects anyone with authenticated access to the relay's web-based configuration interface.

How it could be exploited

An attacker crafts a malicious web page containing an invisible or deceptive overlay of the SEL-411L web interface and tricks an authorized user into clicking on it. The user's authenticated session is hijacked to perform actions like changing relay settings or disabling protections.

Prerequisites

User must be authenticated to the SEL-411L web interface
User must visit an attacker-controlled or compromised web page while logged into the device
Device web interface must be accessible from the network where the user browses

low CVSS score (4.3)requires user interaction (social engineering needed)affects relay configuration interfaceno patch available for any R-series model

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (12)

12 EOL

ProductAffected VersionsFix Status

R118: >=V0|<=V3≥ V0|≤ V3No fix (EOL)

R119: >=V0|<=V4≥ V0|≤ V4No fix (EOL)

R120: >=V0|<=V5≥ V0|≤ V5No fix (EOL)

R121: >=V0|<=V2≥ V0|≤ V2No fix (EOL)

R122: >=V0|<=V2≥ V0|≤ V2No fix (EOL)

R123: >=V0|<=V2≥ V0|≤ V2No fix (EOL)

R124: >=V0|<=V2≥ V0|≤ V2No fix (EOL)

R125: >=V0|<=V2≥ V0|≤ V2No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict web interface access to the SEL-411L relay using firewall rules; limit access to engineering workstations on isolated networks only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply patches from Schweitzer Engineering Laboratories if available for your specific R-series relay model

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: R118: >=V0|<=V3, R119: >=V0|<=V4, R120: >=V0|<=V5, R121: >=V0|<=V2, R122: >=V0|<=V2, R123: >=V0|<=V2, R124: >=V0|<=V2, R125: >=V0|<=V2, R126: >=V0|<=V3, R128: V0, R129: V0, R127: >=V0|<=V1. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate control system devices from user workstations and the internet

HARDENINGRequire use of a VPN with multi-factor authentication for any remote administrative access to the relay

CVEs (1)

CVE-2023-2265

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/622d5cee-e677-4a91-a375-502b4effd056

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.