GE Multilin SR Protective Relays Passcode Vulnerability

This white paper discusses the CVE-2017-7905 vulnerability discovered in the authentication mechanism of the General Electric Multilin SR power system protection and control products. The vulnerability has been disclosed to General Electric and a series of firmware upgrades for the affected devices has been released. The reported vulnerability falls under CWE-261, Weak Cryptography for Passwords, and has been assigned a CVSS v3 base score of 8.1. Keywords—Electric power systems, GE Multilin passcode vulnerability, ICSA-17-117-01A, CVE-2017-7905.