ICSA-22-090-06 · Published 2022-03-31 · View on CISA ICS-CERT ↗

General Electric Renewable Energy MDS Radios

CVSS 10.0 CRITICAL CISA KEV — Known Exploited

Risk Summary

Successful exploitation of these vulnerabilities could allow an attacker to control the configuration of the radio, join the network without proper authorization, or keep valid users from using the system correctly.

CVEs (6)

CVE-2017-17562 CVE-2022-24119 CVE-2022-24116 CVE-2022-24118 CVE-2022-24120 CVE-2022-24117

Remediations

iNET/iNET II series radio firmware rev.8.3.0
SD series radio firmware rev. 6.4.7
TD220X series radio firmware rev. 2.0.16
TD220MAX series radio firmware rev. 1.2.6
GE also recommends the use of other protections inside the radio such as MAC address allow-listing, IEEE 802.1x authentication, or encrypt traffic at the application level with protocols such as HTTPS or SSH. GE provides additional mitigations and information about these vulnerabilities in GE publication number: GES-2021-18 TD220 - GES-2021-17 iNET - GES-2021-16

Affected Vendors

General Electric (GE)

Affected Products (4)

General Electric (GE) · iNET/iNET II series radio < rev. 8.3.0

General Electric (GE) · SD series radio < rev. 6.4.7

General Electric (GE) · TD220MAX series radio < rev. 1.2.6

General Electric (GE) · TD220X series radio < rev. 2.0.16

Affected Sectors

Communications, Critical Manufacturing, Energy, Healthcare and Public Health, Transportation Systems, Water and Wastewater Systems

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more