View CSAF
1. EXECUTIVE SUMMARY
- CVSS v3 7.4
- ATTENTION: Exploitable remotely
- Vendor: Hitachi Energy
- Equipment: RTU500 Scripting Interface
- Vulnerability: Improper Certificate Validation
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow attackers to spoof the identity of the service.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following products of Hitachi Energy are affected:
- RTU500 Scripting Interface: Version 1.0.1.30
- RTU500 Scripting Interface: Version 1.0.2
- RTU500 Scripting Interface: Version 1.1.1
- RTU500 Scripting Interface: Version 1.2.1
- RTU500 Scripting Interface: All versions
3.2 Vulnerability Overview
3.2.1 IMPROPER CERTIFICATE VALIDATION CWE-295
Hitachi Energy is aware of a reported vulnerability in the RTU500 Scripting interface. When a client connects to a server using TLS, the server presents a certificate. This certificate links a public key to the identity of the service and is signed by a certification authority (CA), allowing the client to validate that the remote service can be trusted and is not malicious. If the client does not validate the parameters of the certificate, then attackers could be able to spoof the identity of the service.
CVE-2023-1514 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Energy, Water and Wastewater Systems
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Switzerland
3.4 RESEARCHER
Hitachi Energy PSIRT reported this vulnerability to CISA.
4. MITIGATIONS
Hitachi Energy has identified the following specific workarounds and mitigations users can apply to reduce risk:
- RTU500 Scripting interface Version 1.0.1.30, RTU500 Scripting interface Version 1.0.2, RTU500 Scripting interface Version 1.1.1: Update to RTU500 Scripting interface Version 1.2.1
- RTU500 Scripting interface All versions: Hitachi Energy recommends that users follow the “Remote Terminal Units Security Deployment Guideline,” as well as to apply mitigations as described in the Mitigation Factors/Workarounds Section.
Hitachi Energy recommends the following security practices and firewall configurations to help protect a process control network from attacks that originate from outside the network:
- Physically protect from direct access by unauthorized personnel
- Do not directly connect to the Internet
- Separate from other networks by means of a firewall system that has a minimal number of ports exposed
- Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails
- Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system
For more information, see Hitachi Energy Cybersecurity Advisory “Improper Certificate Validation in Hitachi Energy’s RTU500 series Product”
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.
5. UPDATE HISTORY
- November 26, 2024: Initial Publication