Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.1901 ICS Advisory | ICSA-23-089-01 Hitachi Energy IEC 61850 MMS-Server 31 March 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Hitachi Energy IEC 61850 MMS-Server Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2022-3353 Original Bulletin: https://www.cisa.gov/news-events/ics-advisories/icsa-23-089-01 Comment: CVSS (Max): 5.9 CVE-2022-3353 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-23-089-01) Hitachi Energy IEC 61850 MMS-Server Release Date March 30, 2023 1. EXECUTIVE SUMMARY o CVSS v3 5.9 o ATTENTION: Exploitable remotely o Vendor: Hitachi Energy o Equipment: IEC 61850 MMS-Server o Vulnerability: Improper Resource Shutdown or Release 2. RISK EVALUATION Successful exploitation of this vulnerability could cause products using the IEC 61850 MMS-server communication stack to stop accepting new MMS-client connections. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions Hitachi Energy equipment using the IEC 61850 communication stack are affected: o TXpert Hub CoreTec 4 version 2.0.x o TXpert Hub CoreTec 4 version 2.1.x o TXpert Hub CoreTec 4 version 2.2.x o TXpert Hub CoreTec 4 version 2.3.x o TXpert Hub CoreTec 4 version 2.4.x o TXpert Hub CoreTec 4 version 3.0.x o TXpert Hub CoreTec 5 version 3.0.x o Tego1_r15b08 (FOX615 System Release R15B) o Tego1_r2a16_03 (FOX615 System Release R14A) o Tego1_r2a16 o Tego1_r1e01 o Tego1_r1d02 o Tego1_r1c07 o Tego1_r1b02 o GMS600 version 1.3 o Relion 670 1.2 (Limited) o Relion 670 2.0 (Limited) o Relion 650 version 1.1 (Limited) o Relion 650 version 1.3 (Limited) o Relion 650 version 2.1 (Classic) o Relion 670 version 2.1 (Classic) o Relion SAM600-IO 2.2.1 o Relion SAM600-IO 2.2.5 o Relion 670/650 version 2.2.0 o Relion 670/650 version 2.2.1 o Relion 670/650 version 2.2.2 o Relion 670/650 version 2.2.3 o Relion 670/650 version 2.2.4 o Relion 670/650 version 2.2.5 o ITT600 SA Explorer version 1.1.0 o ITT600 SA Explorer version 1.1.1 o ITT600 SA Explorer version 1.1.2 o ITT600 SA Explorer version 1.5.0 o ITT600 SA Explorer version 1.5.1 o ITT600 SA Explorer version 1.6.0 o ITT600 SA Explorer version 1.6.0.1 o ITT600 SA Explorer version 1.7.0 o ITT600 SA Explorer version 1.7.2 o ITT600 SA Explorer version 1.8.0 o ITT600 SA Explorer version 2.0.1 o ITT600 SA Explorer version 2.0.2 o ITT600 SA Explorer version 2.0.3 o ITT600 SA Explorer version 2.0.4.1 o ITT600 SA Explorer version 2.0.5.0 o ITT600 SA Explorer version 2.0.5.4 o ITT600 SA Explorer version 2.1.0.4 o ITT600 SA Explorer version 2.1.0.5 o MSM version 2.2.3 and prior o PWC600 version 1.0 o PWC600 version 1.1 o PWC600 version 1.2 o REB500 all V8.x versions o REB500 all V7.x versions o RTU500 series CMU Firmware version 12.0.1 to 12.0.14 o RTU500 series CMU Firmware version 12.2.1 to 12.2.11 o RTU500 series CMU Firmware version 12.4.1 to 12.4.11 o RTU500 series CMU Firmware version 12.6.1 to 12.6.8 o RTU500 series CMU Firmware version 12.7.1 to 12.7.4 o RTU500 series CMU Firmware version 13.2.1 to 13.2.5 o RTU500 series CMU Firmware version 13.3.1 to 13.3.3 o RTU500 series CMU Firmware version 13.4.1 o SYS600 version 10.1 to 10.3.1 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER RESOURCE SHUTDOWN OR RELEASE CWE-404 An attacker could exploit the IEC 61850 MMS-Server communication stack by forcing the communication stack to stop accepting new MMS-client connections. CVE-2022-3353 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:U /C:N/I:N/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Energy o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Switzerland 3.4 RESEARCHER Hitachi Energy reported this vulnerability to CISA. 4. MITIGATIONS Hitachi Energy provided updates for the following products. Contact Hitachi Energy for update information. o MSM Server update to version 2.2.5 o tego1_r15b08 (FOX615 System Release R15B) update to tego1_r16a11 (FOX615 System Release R16A) o REB500 all V8.x versions update to REB500 firmware to version 8.3.3.0 when released. o RTU500 series CMU Firmware version 12.0.1 to 12.0.14 Update to CMU Firmware version 12.0.15 o RTU500 series CMU Firmware version 12.2.1 to 12.2.11 Update to CMU Firmware version 12.2.12 o RTU500 series CMU Firmware version 12.4.1 to 12.4.11 Update to CMU Firmware version 12.4.12 o RTU500 series CMU Firmware version 12.6.1 to 12.6.8 Update to CMU Firmware version 12.6.9 o RTU500 series CMU Firmware version 12.7.1 to 12.7.4 Update to CMU Firmware version 12.7.5 o RTU500 series CMU Firmware version 13.2.1 to 13.2.5 Update to CMU Firmware version 13.2.6 o RTU500 series CMU Firmware version 13.3.1 to 13.3.3 Update to CMU Firmware version 13.3.4 o RTU500 series CMU Firmware version 13.4.1 Update to CMU Firmware version 13.4.2 o SYS600 version 10.1 to 10.3.1 update to SYS600 version 10.4.1 For all versions, Hitachi Energy recommends that users apply these general mitigation factors: o Upgrade the system once a remediated version is available. o Apply Hitachi Energy recommended security practices and firewall configurations to help protect a process control network from attacks that originate from outside the network. Such practices include: ? Physically protecting process control systems from direct access by unauthorized personnel. ? Not allowing direct connections to the internet. ? Process control systems should not be used for internet surfing, instant messaging, or receiving emails. ? Use a firewall system that has a minimal number of exposed ports to separate the process control network from other networks. ? Connection to other networks must be evaluated as necessary. ? Scan portable computers and removable storage media carefully for viruses before connection to a control system. o MSM is not designed nor intended to be connected to the internet. Disconnect the device from any internet facing network. ? Adopt user access management and updated antivirus protection engines equipped with the latest signature rules for computers that have installed and are operating the MMS Client application. ? Use the default operating system (OS) user access management function to limit unauthorized access and/or rogue commands via the MMS Client application. For more information, see the Hitachi Energy advisories for the corresponding affected products: o 8DBD000124 TXpert Hub CoreTec 4 and 5 Products o 8DBD000132 RTU500 series o 8DBD000127 Relion 670, 650 series, and SAM600-IO o 8DBD000131 REB500 series o 8DBD000130 PWC600 o 8DBD000129 MSM o 8DBD000133 MicroSCADA X SYS600 o 8DBD000128 ITT600 SA Explorer o 8DBD000126 GMS600 o 8DBD000125 FOX61x TEGO1 CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability. This vulnerability has a high attack complexity. Related Advisories Mar 23, 2023 ICS Advisory | ICSA-23-082-01 RoboDK Mar 23, 2023 ICS Advisory | ICSA-23-082-04 Schneider Electric IGSS Mar 23, 2023 ICS Advisory | ICSA-23-082-02 CP Plus KVMS Pro Mar 23, 2023 ICS Advisory | ICSA-23-082-05 ABB Pulsar Plus Controller - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZCZN/MkNZI30y1K9AQgPQBAAh1+vXwxAIjSNGvyoBEB9nOpY6CDT3RER rM9ZRAhkWMfg8+yAYM/wRR/3KmoVI3ZJFT2Vk+vUIel73BaAsvLXUaQpCKQZNh0O NNWHloTFNz9gERl0IvMop9Mx+U51VVU6igAxXvDygPLdnYeb/4WWpArKEXqcp7ge T0p1gFhQMUmv6vupNCz6JrIhzbHiDsWabwZHhiVKoR60my1AzCxBrzCE6kw4yjIf 7adw2ngu36qn3w8POt0iPxYvd7BF6/JPkL6ZwtFZ6n0k4uV4lSpfxacFXhnj+I+G +ayBGBHJG008/tigyTjcZRfdzYEnU4A0oPww2n64qodLDZ8dTkfr9lR20jGW5oHB ySQStZ8WuBJVMZK7kQVadurBc0tbXvglUxaRhP1iGMSh3ZxFgGqGWwrxc8T7LXO4 ji70YA6DVFNQthqLENZX4PE2/GJM8YPOkT432yP+k5jSLwg40Feb+Ly4HyxMRMBh KyhI6YNEeqnAbQ8wdsqB0+7KNVnpmLjCkuO/5kXMaY8gJN439A2h7ToV5aPk+WIA DwhUxj+b1LCxaCs0WdURncVB/lXlMjmBDYbWRfVvXllzhuSBQU9etDHan7WISPDk nHXaTDTjfzKSeXwVv/BhSaTr/8wnIK9vSLoSStWVhkaxGA5hjQQ9X8lioJ50lJP4 5mnJengTRJE= =OoZs -----END PGP SIGNATURE-----