1. EXECUTIVE SUMMARY

  • CVSS v3 5.9
  • ATTENTION: Exploitable remotely
  • Vendor: Hitachi Energy
  • Equipment: IEC 61850 MMS-Server
  • Vulnerability: Improper Resource Shutdown or Release

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause products using the IEC 61850 MMS-server communication stack to stop accepting new MMS-client connections.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions Hitachi Energy equipment using the IEC 61850 communication stack are affected:

  • TXpert Hub CoreTec 4 version 2.0.x
  • TXpert Hub CoreTec 4 version 2.1.x
  • TXpert Hub CoreTec 4 version 2.2.x
  • TXpert Hub CoreTec 4 version 2.3.x
  • TXpert Hub CoreTec 4 version 2.4.x
  • TXpert Hub CoreTec 4 version 3.0.x
  • TXpert Hub CoreTec 5 version 3.0.x
  • Tego1_r15b08 (FOX615 System Release R15B)
  • Tego1_r2a16_03 (FOX615 System Release R14A)
  • Tego1_r2a16
  • Tego1_r1e01
  • Tego1_r1d02
  • Tego1_r1c07
  • Tego1_r1b02
  • GMS600 version 1.3
  • Relion 670 1.2 (Limited)
  • Relion 670 2.0 (Limited)
  • Relion 650 version 1.1 (Limited)
  • Relion 650 version 1.3 (Limited)
  • Relion 650 version 2.1 (Classic)
  • Relion 670 version 2.1 (Classic)
  • Relion SAM600-IO 2.2.1
  • Relion SAM600-IO 2.2.5
  • Relion 670/650 version 2.2.0
  • Relion 670/650 version 2.2.1
  • Relion 670/650 version 2.2.2
  • Relion 670/650 version 2.2.3
  • Relion 670/650 version 2.2.4
  • Relion 670/650 version 2.2.5
  • ITT600 SA Explorer version 1.1.0
  • ITT600 SA Explorer version 1.1.1
  • ITT600 SA Explorer version 1.1.2
  • ITT600 SA Explorer version 1.5.0
  • ITT600 SA Explorer version 1.5.1
  • ITT600 SA Explorer version 1.6.0
  • ITT600 SA Explorer version 1.6.0.1
  • ITT600 SA Explorer version 1.7.0
  • ITT600 SA Explorer version 1.7.2
  • ITT600 SA Explorer version 1.8.0
  • ITT600 SA Explorer version 2.0.1
  • ITT600 SA Explorer version 2.0.2
  • ITT600 SA Explorer version 2.0.3
  • ITT600 SA Explorer version 2.0.4.1
  • ITT600 SA Explorer version 2.0.5.0
  • ITT600 SA Explorer version 2.0.5.4
  • ITT600 SA Explorer version 2.1.0.4
  • ITT600 SA Explorer version 2.1.0.5
  • MSM version 2.2.3 and prior
  • PWC600 version 1.0
  • PWC600 version 1.1
  • PWC600 version 1.2
  • REB500 all V8.x versions
  • REB500 all V7.x versions
  • RTU500 series CMU Firmware version 12.0.1 to 12.0.14
  • RTU500 series CMU Firmware version 12.2.1 to 12.2.11
  • RTU500 series CMU Firmware version 12.4.1 to 12.4.11
  • RTU500 series CMU Firmware version 12.6.1 to 12.6.8  
  • RTU500 series CMU Firmware version 12.7.1 to 12.7.4  
  • RTU500 series CMU Firmware version 13.2.1 to 13.2.5  
  • RTU500 series CMU Firmware version 13.3.1 to 13.3.3  
  • RTU500 series CMU Firmware version 13.4.1
  • SYS600 version 10.1 to 10.3.1

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER RESOURCE SHUTDOWN OR RELEASE CWE-404
An attacker could exploit the IEC 61850 MMS-Server communication stack by forcing the communication stack to stop accepting new MMS-client connections.

CVE-2022-3353 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported this vulnerability to CISA.

4. MITIGATIONS

Hitachi Energy provided updates for the following products. Contact Hitachi Energy for update information.

  • MSM Server update to version 2.2.5
  • tego1_r15b08 (FOX615 System Release R15B) update to tego1_r16a11 (FOX615 System Release R16A)
  • REB500 all V8.x versions update to REB500 firmware to version 8.3.3.0 when released.
  • RTU500 series CMU Firmware version 12.0.1 to 12.0.14 Update to CMU Firmware version 12.0.15
  • RTU500 series CMU Firmware version 12.2.1 to 12.2.11 Update to CMU Firmware version 12.2.12
  • RTU500 series CMU Firmware version 12.4.1 to 12.4.11 Update to CMU Firmware version 12.4.12
  • RTU500 series CMU Firmware version 12.6.1 to 12.6.8 Update to CMU Firmware version 12.6.9
  • RTU500 series CMU Firmware version 12.7.1 to 12.7.4 Update to CMU Firmware version 12.7.5
  • RTU500 series CMU Firmware version 13.2.1 to 13.2.5 Update to CMU Firmware version 13.2.6
  • RTU500 series CMU Firmware version 13.3.1 to 13.3.3 Update to CMU Firmware version 13.3.4
  • RTU500 series CMU Firmware version 13.4.1 Update to CMU Firmware version 13.4.2
  • SYS600 version 10.1 to 10.3.1 update to SYS600 version 10.4.1

For all versions, Hitachi Energy recommends that users apply these general mitigation factors: 

  • Upgrade the system once a remediated version is available.
  • Apply Hitachi Energy recommended security practices and firewall configurations to help protect a process control network from attacks that originate from outside the network. Such practices include:
    • Physically protecting process control systems from direct access by unauthorized personnel.
    • Not allowing direct connections to the internet.
      • Process control systems should not be used for internet surfing, instant messaging, or receiving emails.
    • Use a firewall system that has a minimal number of exposed ports to separate the process control network from other networks.
      • Connection to other networks must be evaluated as necessary. 
    • Scan portable computers and removable storage media carefully for viruses before connection to a control system.
  • MSM is not designed nor intended to be connected to the internet. Disconnect the device from any internet facing network.
    • Adopt user access management and updated antivirus protection engines equipped with the latest signature rules for computers that have installed and are operating the MMS Client application. 
    • Use the default operating system (OS) user access management function to limit unauthorized access and/or rogue commands via the MMS Client application.

For more information, see the Hitachi Energy advisories for the corresponding affected products: 

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Source:
https://www.cisa.gov/news-events/ics-advisories/icsa-23-089-01