Schweitzer Engineering Laboratories SEL-411L
Monitor4.3ICS-CERT ICSA-23-341-02Dec 7, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
The SEL-411L relays (R118–R129 series) are vulnerable to clickjacking attacks via the web interface. An attacker can trick an authenticated user into unknowingly performing actions on the relay by embedding the interface within a malicious webpage. Schweitzer Engineering Laboratories has stated patches have been distributed to asset owners; however, the advisory notes "no fix available" for all listed R-series models, indicating either patches are not yet released or these models will not receive fixes. The vulnerability is classified as informational (CWE-1021: Improper Restriction of Rendered UI Layers or Frames).
What this means
What could happen
An attacker could manipulate a user's browser to perform unwanted actions through clickjacking, potentially leading to unauthorized configuration changes or operational decisions if the user is logged into the device's web interface.
Who's at risk
Protection and control relay operators at utilities and industrial facilities using Schweitzer Engineering Laboratories SEL-411L relays (R118–R129 series) for power system protection, monitoring, and automation. This affects anyone with authenticated access to the relay's web-based configuration interface.
How it could be exploited
An attacker crafts a malicious web page containing an invisible or deceptive overlay of the SEL-411L web interface and tricks an authorized user into clicking on it. The user's authenticated session is hijacked to perform actions like changing relay settings or disabling protections.
Prerequisites
- User must be authenticated to the SEL-411L web interface
- User must visit an attacker-controlled or compromised web page while logged into the device
- Device web interface must be accessible from the network where the user browses
low CVSS score (4.3)requires user interaction (social engineering needed)affects relay configuration interfaceno patch available for any R-series model
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (12)
12 EOL
ProductAffected VersionsFix Status
R118: >=V0|<=V3≥ V0|≤ V3No fix (EOL)
R119: >=V0|<=V4≥ V0|≤ V4No fix (EOL)
R120: >=V0|<=V5≥ V0|≤ V5No fix (EOL)
R121: >=V0|<=V2≥ V0|≤ V2No fix (EOL)
R122: >=V0|<=V2≥ V0|≤ V2No fix (EOL)
R123: >=V0|<=V2≥ V0|≤ V2No fix (EOL)
R124: >=V0|<=V2≥ V0|≤ V2No fix (EOL)
R125: >=V0|<=V2≥ V0|≤ V2No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDRestrict web interface access to the SEL-411L relay using firewall rules; limit access to engineering workstations on isolated networks only
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXApply patches from Schweitzer Engineering Laboratories if available for your specific R-series relay model
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: R118: >=V0|<=V3, R119: >=V0|<=V4, R120: >=V0|<=V5, R121: >=V0|<=V2, R122: >=V0|<=V2, R123: >=V0|<=V2, R124: >=V0|<=V2, R125: >=V0|<=V2, R126: >=V0|<=V3, R128: V0, R129: V0, R127: >=V0|<=V1. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate control system devices from user workstations and the internet
HARDENINGRequire use of a VPN with multi-factor authentication for any remote administrative access to the relay
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/622d5cee-e677-4a91-a375-502b4effd056