Rewterz Threat Advisory – ICS: Multiple Hitachi Energy Vulnerabilities

Severity

High

Analysis Summary

CVE-2021-22278

This vulnerability exists due to a logic error in the certificate validation in the affected product. An attacker with administrator rights could exploit this vulnerability by creating software packages and signing those packages with specially crafted certificates, thereby pointing the PCM600 update server location to a different location. The validation flaw causes untrusted software packages to be installed using PCM600 Update Manager.

CVE-2020-1968

The Raccoon attack exploits a flaw in the TLS specification, which can lead to an attacker computing pre-master secret in connections that have used a Diffie-Hellman- based cipher suite. An attacker can then eavesdrop on all encrypted communications sent over the exploited TLS connection.

CVE-2020-24977

There is a global buffer over-read vulnerability in xmlEncodeEntitiesInternal in the affected libxml2/entities.c.

CVE-2021-3517

A vulnerability exists in the xml entity encoding functionality of the affected libxml2. An attacker can use a specially crafted file to trigger an out-of-bounds read.

CVE-2021-3449, CVE-2020-1971, CVE-2019-1563, CVE-2019-1549, CVE-2019-1547, CVE-2021-23840, CVE-2021-23841, CVE-2017-8872, CVE-2019-20388, CVE-2020-24977, CVE-2021-3516, CVE-2021-3517, CVE-2021-3518, CVE-2021-3537, CVE-2021-3541, CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15705, CVE-2020-15706, CVE-2020-15707, CVE-2020-14372, CVE-2020-25632, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, and CVE-2021-20233

Hitachi Energy is aware of public reports of this vulnerability in the following open-source software components: OpenSSL, LibSSL, libxml2, and GRUB2 bootloader. The vulnerability also affects some APM Edge products. An attacker who successfully exploits this vulnerability could cause the product to become inaccessible.

CVE-2021-35535

A vulnerability exists in the early boot process of the product in which there is a tiny time gap where a previous version of VxWorks is loaded prior to booting up the complete application firmware. The older version of VxWorks is susceptible to Urgent/11, which may allow for remote code execution on the device before the operating system is loaded.

CVE-2021-35533

An issue exists in the BCI IEC 60870-5-104 function included in the affected products. If BCI IEC 60870-5-104 is enabled and configured, an attacker could exploit the vulnerability by sending a specially crafted message to the affected product, causing it to reboot. This vulnerability is caused by the validation error in the APDU parser of the BCI IEC 60870-5-104 function.

Impact

• Security Bypass
• Denial of Service
• Unauthorized Access

Affected Vendors

• Hitachi Energy

Affected Products

• RTU500 series CMU Firmware: Version 12.2.
• RTU500 series CMU Firmware: Version 12.4.
• RTU500 series CMU Firmware: Version 12.6.
• RTU500 series CMU Firmware: Version 12.7.
• RTU500 series CMU Firmware: Version 13.0.
• RTU500 series CMU Firmware: Version 13.1.
• RTU500 series CMU Firmware: Version 13.2.1
• APM Edge Version 1.0
• APM Edge Version 2.0
• APM Edge Version 3.0
• PCM600 Update Manager: Versions 2.1
• PCM600 Update Manager: Versions 2.1.0.4
• PCM600 Update Manager: Versions 2.2
• PCM600 Update Manager: Versions 2.2.0.1
• PCM600 Update Manager: Versions 2.2.0.2
• PCM600 Update Manager: Versions 2.2.0.23
• PCM600 Update Manager: Versions 2.3.0.60
• PCM600 Update Manager: Versions 2.4.20041.1
• PCM600 Update Manager: Versions 2.4.20119.2

Remediation

Refer to CISA Advisory for the patch, upgrade, or suggested workaround information.

Hitachi Energy PCM600 Update Manager

Hitachi Energy RTU500 series

Hitachi Energy APM Edge

Hitachi Energy Relion 670/650/SAM600-IO

Hitachi Energy RTU500 series BCI