-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2023.1901
     ICS Advisory | ICSA-23-089-01 Hitachi Energy IEC 61850 MMS-Server
                               31 March 2023

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Hitachi Energy IEC 61850 MMS-Server
Publisher:         ICS-CERT
Operating System:  Network Appliance
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-3353  

Original Bulletin: 
   https://www.cisa.gov/news-events/ics-advisories/icsa-23-089-01

Comment: CVSS (Max):  5.9 CVE-2022-3353 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
         CVSS Source: ICS-CERT
         Calculator:  https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

ICS Advisory (ICSA-23-089-01)

Hitachi Energy IEC 61850 MMS-Server

Release Date
March 30, 2023

1. EXECUTIVE SUMMARY

  o CVSS v3 5.9
  o ATTENTION: Exploitable remotely
  o Vendor: Hitachi Energy
  o Equipment: IEC 61850 MMS-Server
  o Vulnerability: Improper Resource Shutdown or Release

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause products using the
IEC 61850 MMS-server communication stack to stop accepting new MMS-client
connections.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions Hitachi Energy equipment using the IEC 61850
communication stack are affected:

  o TXpert Hub CoreTec 4 version 2.0.x
  o TXpert Hub CoreTec 4 version 2.1.x
  o TXpert Hub CoreTec 4 version 2.2.x
  o TXpert Hub CoreTec 4 version 2.3.x
  o TXpert Hub CoreTec 4 version 2.4.x
  o TXpert Hub CoreTec 4 version 3.0.x
  o TXpert Hub CoreTec 5 version 3.0.x
  o Tego1_r15b08 (FOX615 System Release R15B)
  o Tego1_r2a16_03 (FOX615 System Release R14A)
  o Tego1_r2a16
  o Tego1_r1e01
  o Tego1_r1d02
  o Tego1_r1c07
  o Tego1_r1b02
  o GMS600 version 1.3
  o Relion 670 1.2 (Limited)
  o Relion 670 2.0 (Limited)
  o Relion 650 version 1.1 (Limited)
  o Relion 650 version 1.3 (Limited)
  o Relion 650 version 2.1 (Classic)
  o Relion 670 version 2.1 (Classic)
  o Relion SAM600-IO 2.2.1
  o Relion SAM600-IO 2.2.5
  o Relion 670/650 version 2.2.0
  o Relion 670/650 version 2.2.1
  o Relion 670/650 version 2.2.2
  o Relion 670/650 version 2.2.3
  o Relion 670/650 version 2.2.4
  o Relion 670/650 version 2.2.5
  o ITT600 SA Explorer version 1.1.0
  o ITT600 SA Explorer version 1.1.1
  o ITT600 SA Explorer version 1.1.2
  o ITT600 SA Explorer version 1.5.0
  o ITT600 SA Explorer version 1.5.1
  o ITT600 SA Explorer version 1.6.0
  o ITT600 SA Explorer version 1.6.0.1
  o ITT600 SA Explorer version 1.7.0
  o ITT600 SA Explorer version 1.7.2
  o ITT600 SA Explorer version 1.8.0
  o ITT600 SA Explorer version 2.0.1
  o ITT600 SA Explorer version 2.0.2
  o ITT600 SA Explorer version 2.0.3
  o ITT600 SA Explorer version 2.0.4.1
  o ITT600 SA Explorer version 2.0.5.0
  o ITT600 SA Explorer version 2.0.5.4
  o ITT600 SA Explorer version 2.1.0.4
  o ITT600 SA Explorer version 2.1.0.5
  o MSM version 2.2.3 and prior
  o PWC600 version 1.0
  o PWC600 version 1.1
  o PWC600 version 1.2
  o REB500 all V8.x versions
  o REB500 all V7.x versions
  o RTU500 series CMU Firmware version 12.0.1 to 12.0.14
  o RTU500 series CMU Firmware version 12.2.1 to 12.2.11
  o RTU500 series CMU Firmware version 12.4.1 to 12.4.11
  o RTU500 series CMU Firmware version 12.6.1 to 12.6.8
  o RTU500 series CMU Firmware version 12.7.1 to 12.7.4
  o RTU500 series CMU Firmware version 13.2.1 to 13.2.5
  o RTU500 series CMU Firmware version 13.3.1 to 13.3.3
  o RTU500 series CMU Firmware version 13.4.1
  o SYS600 version 10.1 to 10.3.1

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER RESOURCE SHUTDOWN OR RELEASE CWE-404
An attacker could exploit the IEC 61850 MMS-Server communication stack by
forcing the communication stack to stop accepting new MMS-client connections.

CVE-2022-3353 has been assigned to this vulnerability. A CVSS v3.1 base score
of 5.9 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:U
/C:N/I:N/A:H ).

3.3 BACKGROUND

  o CRITICAL INFRASTRUCTURE SECTORS: Energy
  o COUNTRIES/AREAS DEPLOYED: Worldwide
  o COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported this vulnerability to CISA.

4. MITIGATIONS

Hitachi Energy provided updates for the following products. Contact Hitachi
Energy for update information.

  o MSM Server update to version 2.2.5
  o tego1_r15b08 (FOX615 System Release R15B) update to tego1_r16a11 (FOX615
    System Release R16A)
  o REB500 all V8.x versions update to REB500 firmware to version 8.3.3.0 when
    released.
  o RTU500 series CMU Firmware version 12.0.1 to 12.0.14 Update to CMU Firmware
    version 12.0.15
  o RTU500 series CMU Firmware version 12.2.1 to 12.2.11 Update to CMU Firmware
    version 12.2.12
  o RTU500 series CMU Firmware version 12.4.1 to 12.4.11 Update to CMU Firmware
    version 12.4.12
  o RTU500 series CMU Firmware version 12.6.1 to 12.6.8 Update to CMU Firmware
    version 12.6.9
  o RTU500 series CMU Firmware version 12.7.1 to 12.7.4 Update to CMU Firmware
    version 12.7.5
  o RTU500 series CMU Firmware version 13.2.1 to 13.2.5 Update to CMU Firmware
    version 13.2.6
  o RTU500 series CMU Firmware version 13.3.1 to 13.3.3 Update to CMU Firmware
    version 13.3.4
  o RTU500 series CMU Firmware version 13.4.1 Update to CMU Firmware version
    13.4.2
  o SYS600 version 10.1 to 10.3.1 update to SYS600 version 10.4.1

For all versions, Hitachi Energy recommends that users apply these general
mitigation factors:

  o Upgrade the system once a remediated version is available.
  o Apply Hitachi Energy recommended security practices and firewall
    configurations to help protect a process control network from attacks that
    originate from outside the network. Such practices include:
      ? Physically protecting process control systems from direct access by
        unauthorized personnel.
      ? Not allowing direct connections to the internet.
          ? Process control systems should not be used for internet surfing,
            instant messaging, or receiving emails.
      ? Use a firewall system that has a minimal number of exposed ports to
        separate the process control network from other networks.
          ? Connection to other networks must be evaluated as necessary.
      ? Scan portable computers and removable storage media carefully for
        viruses before connection to a control system.
  o MSM is not designed nor intended to be connected to the internet.
    Disconnect the device from any internet facing network.
      ? Adopt user access management and updated antivirus protection engines
        equipped with the latest signature rules for computers that have
        installed and are operating the MMS Client application.
      ? Use the default operating system (OS) user access management function
        to limit unauthorized access and/or rogue commands via the MMS Client
        application.

For more information, see the Hitachi Energy advisories for the corresponding
affected products:

  o 8DBD000124 TXpert Hub CoreTec 4 and 5 Products
  o 8DBD000132 RTU500 series
  o 8DBD000127 Relion 670, 650 series, and SAM600-IO
  o 8DBD000131 REB500 series
  o 8DBD000130 PWC600
  o 8DBD000129 MSM
  o 8DBD000133 MicroSCADA X SYS600
  o 8DBD000128 ITT600 SA Explorer
  o 8DBD000126 GMS600
  o 8DBD000125 FOX61x TEGO1

CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices
on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber
defense best practices are available for reading and download, including
Improving Industrial Control Systems Cybersecurity with Defense-in-Depth
Strategies .

Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage at cisa.gov/ics in the technical information paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .

Organizations observing suspected malicious activity should follow established
internal procedures and report findings to CISA for tracking and correlation
against other incidents.

No known public exploits specifically target this vulnerability. This
vulnerability has a high attack complexity.

Related Advisories

Mar 23, 2023
ICS Advisory | ICSA-23-082-01

RoboDK

Mar 23, 2023
ICS Advisory | ICSA-23-082-04

Schneider Electric IGSS

Mar 23, 2023
ICS Advisory | ICSA-23-082-02

CP Plus KVMS Pro

Mar 23, 2023
ICS Advisory | ICSA-23-082-05

ABB Pulsar Plus Controller

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBZCZN/MkNZI30y1K9AQgPQBAAh1+vXwxAIjSNGvyoBEB9nOpY6CDT3RER
rM9ZRAhkWMfg8+yAYM/wRR/3KmoVI3ZJFT2Vk+vUIel73BaAsvLXUaQpCKQZNh0O
NNWHloTFNz9gERl0IvMop9Mx+U51VVU6igAxXvDygPLdnYeb/4WWpArKEXqcp7ge
T0p1gFhQMUmv6vupNCz6JrIhzbHiDsWabwZHhiVKoR60my1AzCxBrzCE6kw4yjIf
7adw2ngu36qn3w8POt0iPxYvd7BF6/JPkL6ZwtFZ6n0k4uV4lSpfxacFXhnj+I+G
+ayBGBHJG008/tigyTjcZRfdzYEnU4A0oPww2n64qodLDZ8dTkfr9lR20jGW5oHB
ySQStZ8WuBJVMZK7kQVadurBc0tbXvglUxaRhP1iGMSh3ZxFgGqGWwrxc8T7LXO4
ji70YA6DVFNQthqLENZX4PE2/GJM8YPOkT432yP+k5jSLwg40Feb+Ly4HyxMRMBh
KyhI6YNEeqnAbQ8wdsqB0+7KNVnpmLjCkuO/5kXMaY8gJN439A2h7ToV5aPk+WIA
DwhUxj+b1LCxaCs0WdURncVB/lXlMjmBDYbWRfVvXllzhuSBQU9etDHan7WISPDk
nHXaTDTjfzKSeXwVv/BhSaTr/8wnIK9vSLoSStWVhkaxGA5hjQQ9X8lioJ50lJP4
5mnJengTRJE=
=OoZs
-----END PGP SIGNATURE-----