Hitachi Energy’s RTU500 Series Product

1. EXECUTIVE SUMMARY

• CVSS v3 9.8 
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Hitachi Energy
• Equipment: RTU500 Series
• Vulnerabilities: Type Confusion, Observable Timing Discrepancy, Out-of-bounds Read, Infinite Loop, Classic Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to crash the device being accessed or cause a denial-of-service condition.  

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Hitachi Energy’s RTU500 Series Product, are affected: 

For CVE-2023-0286, CVE-2022-4304  

• RTU500 series CMU Firmware: version 12.0.1 through 12.0.15 
• RTU500 series CMU Firmware: version 12.2.1 through 12.2.12  
• RTU500 series CMU Firmware: version 12.4.1 through 12.4.12  
• RTU500 series CMU Firmware: version 12.6.1 through 12.6.9  
• RTU500 series CMU Firmware: version 12.7.1 through 12.7.6  
• RTU500 series CMU Firmware: version 13.2.1 through 13.2.6  
• RTU500 series CMU Firmware: version 13.3.1 through 13.3.3  
• RTU500 series CMU Firmware: version 13.4.1 through 13.4.2 

For CVE-2022-23937, CVE-2022-0778, CVE-2021-3711, CVE-2021-3712  

• RTU500 series CMU Firmware: version 12.0.1 through 12.0.14 
• RTU500 series CMU Firmware: version 12.2.1 through 12.2.11  
• RTU500 series CMU Firmware: version 12.4.1 through 12.4.11  
• RTU500 series CMU Firmware: version 12.6.1 through 12.6.8  
• RTU500 series CMU Firmware: version 12.7.1 through 12.7.5 
• RTU500 series CMU Firmware: version 13.2.1 through 13.2.5  
• RTU500 series CMU Firmware: version 13.3.1 through 13.3.3  
• RTU500 series CMU Firmware: version 13.4.1 through 13.4.1 

3.2 VULNERABILITY OVERVIEW

3.2.1 ACCESS OF RESOURCE USING INCOMPATIBLE TYPE (‘TYPE CONFUSION’) CWE-843 

There is a type-confusion vulnerability affecting X.400 address processing within an X.509 GeneralName. This vulnerability could allow an attacker to pass arbitrary pointers to a memcmp call, enabling access to read memory contents or cause a denial-of-service condition. X.400 addresses parsed as an ASN1_STRING while the public structure definition for GENERAL_NAME incorrectly specifies the x400Address field type as ASN1_TYPE.  

CVE-2023-0286 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H). 

3.2.2 OBSERVABLE TIMING DISCREPANCY CWE-208 

A timing-based side channel exists in the OpenSSL RSA Decryption implementation. This could allow an attacker sufficient access to recover plaintext across a network to perform a Bleichenbacher style attack. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.  

CVE-2022-4304 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). 

3.2.3 OUT-OF-BOUNDS READ CWE-125 

A vulnerability exists in the Wind River VxWorks version 6.9 affecting the RTU500 series product versions listed. An attacker could exploit the vulnerability by using a specific crafted packet that could lead to an out-of-bounds read during an IKE initial exchange scenario.  

CVE-2022-23937 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.2.4 LOOP WITH UNREACHABLE EXIT CONDITION (‘INFINITE LOOP’) CWE-835 

A vulnerability exists in the OpenSSL version 1.0.2 that affects the RTU500 Series product versions listed. An attacker can exploit the BN_mod_sqrt() function to compute a modular square root that contains a bug causing a continual loop for non-prime moduli.  

CVE-2022-0778 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.2.5 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) CWE-120 

A vulnerability exists in the OpenSSL Version 1.0.2 affecting the RTU500 Series product versions listed. An attacker with access to applications and the capability to present SM2 content for decryption could cause a buffer overflow up to a maximum of 62 bytes while altering contents of data present after the buffer. This vulnerability could allow an attacker to change application behavior or cause the application to crash. 

CVE-2021-3711 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). 

3.2.6 OUT-OF-BOUNDS READ CWE-125 

A vulnerability exists in the OpenSSL Version 1.0.2 affecting the RTU500 Series product versions listed. A malicious actor could cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions. Exploiting this vulnerability could create a system crash causing a denial-of-service condition or a disclosure of private memory contents, such as private keys or sensitive plaintext.  

CVE-2021-3712 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H). 

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy 
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported these vulnerabilities to CISA. 

4. MITIGATIONS

Hitachi Energy has released the following mitigations/fixes:  

• Until the updates are made available, follow the General Mitigation Factors/Workarounds 

Hitachi Energy recommends general mitigation factors/Workarounds: 

• Recommended security practices and firewall configurations can help protect a process control network from attacks originating from outside the network including. 
• Physically protect process control systems from direct access by unauthorized personnel. 
• Do not allow process control systems direct connections to the internet. 
• Separate process control systems from other networks by means of a firewall system that has a minimal number of ports exposed.  
• Process control systems should not be used for internet surfing, instant messaging, or receiving emails.  
• Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system. 

For more information, see Hitachi Energy’s Security Advisories: 

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: 

• Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet. 
• Locate control system networks and remote devices behind firewalls and isolate them from business networks. 
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. 

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. 

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. 

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

No known public exploits specifically target these vulnerabilities.