1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Hitachi Energy
- Equipment: RTU500 Series
- Vulnerabilities: Type Confusion, Observable Timing Discrepancy, Out-of-bounds Read, Infinite Loop, Classic Buffer Overflow
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to crash the device being accessed or cause a denial-of-service condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Hitachi Energy’s RTU500 Series Product, are affected:
- RTU500 series CMU Firmware: version 12.0.1 through 12.0.15
- RTU500 series CMU Firmware: version 12.2.1 through 12.2.12
- RTU500 series CMU Firmware: version 12.4.1 through 12.4.12
- RTU500 series CMU Firmware: version 12.6.1 through 12.6.9
- RTU500 series CMU Firmware: version 12.7.1 through 12.7.6
- RTU500 series CMU Firmware: version 13.2.1 through 13.2.6
- RTU500 series CMU Firmware: version 13.3.1 through 13.3.3
- RTU500 series CMU Firmware: version 13.4.1 through 13.4.2
3.2 Vulnerability Overview
3.2.1 ACCESS OF RESOURCE USING INCOMPATIBLE TYPE (‘TYPE CONFUSION’) CWE-843
There is a type-confusion vulnerability affecting X.400 address processing within an X.509 GeneralName. This vulnerability could allow an attacker to pass arbitrary pointers to a memcmp call, enabling access to read memory contents or cause a denial-of-service condition.X.400 addresses parsed as an ASN1_STRING while the public structure definition for GENERAL_NAME incorrectly specifies the x400Address field type as ASN1_TYPE.
CVE-2023-0286 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H).
3.2.2 OBSERVABLE TIMING DISCREPANCY CWE-208
A timing-based side channel exists in the OpenSSL RSA Decryption implementation. This could allow an attacker sufficient access to recover plaintext across a network to perform a Bleichenbacher style attack. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
CVE-2022-4304 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
3.2.3 OUT-OF-BOUNDS READ CWE-125
A vulnerability exists in the Wind River VxWorks version 6.9 affecting the RTU500 series product versions listed. An attacker could exploit the vulnerability by using a specific crafted packet that could lead to an out-of-bounds read during an IKE initial exchange scenario.
CVE-2022-23937 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
3.2.4 LOOP WITH UNREACHABLE EXIT CONDITION (‘INFINITE LOOP’) CWE-835
A vulnerability exists in the OpenSSL version 1.0.2 that affects the RTU500 Series product versions listed. An attacker can exploit the BN_mod_sqrt() function to compute a modular square root that contains a bug causing a continual loop for non-prime moduli.
CVE-2022-0778 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
3.2.5 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) CWE-120
A vulnerability exists in the OpenSSL Version 1.0.2 affecting the RTU500 Series product versions listed. An attacker with access to applications and the capability to present SM2 content for decryption could cause a buffer overflow up to a maximum of 62 bytes while altering contents of data present after the buffer. This vulnerability could allow an attacker to change application behavior or cause the application to crash.
CVE-2021-3711 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.2.6 OUT-OF-BOUNDS READ CWE-125
A vulnerability exists in the OpenSSL Version 1.0.2 affecting the RTU500 Series product versions listed. A malicious actor could cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions. Exploiting this vulnerability could create a system crash causing a denial-of-service condition or a disclosure of private memory contents, such as private keys or sensitive plaintext.
CVE-2021-3712 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Energy
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Switzerland
3.4 RESEARCHER
Hitachi Energy reported these vulnerabilities to CISA.
4. MITIGATIONS
Hitachi Energy has released the following mitigations/fixes for CVE-2022-23937, CVE-2022-0778, CVE-2021-3711, and CVE-2021-3712:
- RTU500 series CMU Firmware version 12.0.1 – 12.0.14: Update to CMU Firmware version 12.0.15* (Planned Update)
- RTU500 series CMU Firmware version 12.2.1 – 12.2.11: Update to CMU Firmware version 12.2.12* (Planned Update)
- RTU500 series CMU Firmware version 12.4.1 – 12.4.11: Update to CMU Firmware version 12.4.12* (Planned Update)
- RTU500 series CMU Firmware version 12.6.1 – 12.6.8: Update to CMU Firmware version 12.6.9
- RTU500 series CMU Firmware version 12.7.1 – 12.7.5: Update to CMU Firmware version 12.7.6
- RTU500 series CMU Firmware version 13.2.1 – 13.2.5: Update to CMU Firmware version 13.2.6
- RTU500 series CMU Firmware version 13.3.1 – 13.3.3: Update to CMU Firmware version 13.3.4* (Planned Update)
- RTU500 series CMU Firmware version 13.4.1: Update to CMU Firmware version 13.4.2
Until the updates are made available, Hitachi Energy recommends the following general mitigation factors/workarounds for the products with RTU500 series CMU Firmware versions 12.0.1 – 12.0.15, 12.2.1 – 12.2.12, 12.4.1 – 12.4.12, 12.6.1 – 12.6.9, 12.7.1 – 12.7.6, 13.2.1 – 13.2.6, 13.3.1 – 13.3.3, 13.4.2 to address the vulnerabilities CVE-2023-0286 and CVE-2022-4304:
- Recommended security practices and firewall configurations can help protect a process control network from attacks originating from outside the network including.
- Physically protect process control systems from direct access by unauthorized personnel.
- Do not allow process control systems direct connections to the internet.
- Separate process control systems from other networks by means of a firewall system that has a minimal number of ports exposed.
- Process control systems should not be used for internet surfing, instant messaging, or receiving emails.
- Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.
For more information, see Hitachi Energy’s Security Advisories:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
Source: