Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.4826
ICS Advisory | ICSA-23-234-01 Hitachi Energy AFF66x
23 August 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Hitachi Energy AFF66x
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2022-3204 CVE-2021-43523 CVE-2020-13817
CVE-2020-11868 CVE-2019-11477 CVE-2018-18066
Original Bulletin:
https://www.cisa.gov/news-events/ics-advisories/icsa-23-234-01
Comment: CVSS (Max): 9.6 CVE-2021-43523 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-23-234-01)
Hitachi Energy AFF66x
Release Date
August 22, 2023
1. EXECUTIVE SUMMARY
o CVSS v3 9.6
o ATTENTION: Exploitable remotely/low attack complexity
o Vendor: Hitachi Energy
o Equipment: AFF66x
o Vulnerabilities: Cross-site Scripting, Use of Insufficiently Random Values,
Origin Validation Error, Integer Overflow or Wraparound, Uncontrolled
Resource Consumption, NULL Pointer Dereference
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to
compromise availability, integrity, and confidentiality of the targeted
devices.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Hitachi Energy reports these vulnerabilities affect the following AFF660/665
products:
o AFF660/665: Firmware 03.0.02 and prior
3.2 VULNERABILITY OVERVIEW
3.2.1 CROSS-SITE SCRIPTING CWE-79
In uClibc and uClibc-ng before 1.0.39, incorrect handling of special characters
in domain names DNS servers returned via gethostbyname, getaddrinfo,
gethostbyaddr, and getnameinfo could lead to output of wrong hostnames (leading
to domain hijacking) or injection into applications (leading to remote code
execution, XSS, applications crashes, etc.). In other words, a validation step,
which is expected in any stub resolver, does not occur.
CVE-2021-43523 has been assigned to this vulnerability. A CVSS v3 base score of
9.6 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:C/
C:H/I:H/A:H ).
3.2.2 USE OF INSUFFICIENTLY RANDOM VALUES CWE-330
ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 could allow remote
attackers to cause a denial of service (daemon exit or system time change) by
predicting transmit timestamps for use in spoofed packets. The victim must rely
on unauthenticated IPv4 time sources. There must be an off-path attacker who
could query time from the victim's ntpd instance.
CVE-2020-13817 has been assigned to this vulnerability. A CVSS v3 base score of
7.4 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:U/
C:N/I:H/A:H ).
3.2.3 ORIGIN VALIDATION ERROR CWE-346
ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 could allow an off-path
attacker to block unauthenticated synchronization via a server mode packet with
a spoofed source IP address because transmissions are rescheduled even when a
packet lacks a valid origin timestamp.
CVE-2020-11868 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).
3.2.4 INTEGER OVERFLOW OR WRAPAROUND CWE-190
TCP_SKB_CB(skb)->tcp_gso_segs value is subject to an integer overflow in the
Linux kernel when handling TCP selective acknowledgments (SACKs). A remote
attacker could use this to cause a denial of service. This has been fixed in
stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is
fixed in commit.
CVE-2019-11477 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).
3.2.5 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
A vulnerability named "non-responsive delegation attack" (NRDelegation attack)
has been discovered in various DNS resolving software. The NRDelegation attack
works by having a malicious delegation with a considerable number of
non-responsive nameservers. The attack starts by querying a resolver for a
record that relies on those unresponsive nameservers. The attack could cause a
resolver to spend time/resources resolving records under a malicious delegation
point where a considerable number of unresponsive NS records reside. It could
trigger high CPU usage in some resolver implementations that continually look
in the cache for resolved NS records in that delegation, which could lead to
degraded performance and eventually denial of service in orchestrated attacks.
Unbound does not suffer from high CPU usage, but still requires resources to
resolve the malicious delegation. Unbound will continue to try to resolve the
record until it reaches hard limits. Based on the nature of the attack and the
replies, Unbound could reach different limits. From version 1.16.3 on, Unbound
introduces fixes for better performance when under load by cutting
opportunistic queries for nameserver discovery and DNSKEY prefetching and
limiting the number of times a delegation point can issue a cache lookup for
missing records.
CVE-2022-3204 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).
3.2.6 NULL POINTER DEREFERENCE CWE-476
snmp_oid_compare in snmplib/snmp_api.c in NetSNMP before 5.8 has a NULL pointer
exception bug that an unauthenticated attacker could use to remotely cause the
instance to crash via a crafted UDP packet, resulting in denial of service.
CVE-2018-18066 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:N/A:H ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Energy
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Switzerland
3.4 RESEARCHER
Hitachi Energy reported these vulnerabilities to CISA.
4. MITIGATIONS
Hitachi Energy recommends the following actions:
o Update to upcoming AFF660/665 FW 04.6.01 release when available.
o Configure only trusted DNS server(s).
o Configure the NTP service with redundant trustworthy sources of time.
o Restrict TCP/IP-based management protocols to trusted IP addresses.
o Disable the SNMP server (CLI and web interface will continue to function as
they use an internal connection).
Hitachi Energy recommends the following general mitigations:
o Recommended security practices and firewall configurations could help
protect a process control network from attacks originating from outside the
network.
o Physically protect process control systems from direct access by
unauthorized personnel.
o Ensure process control systems have no direct connections to the internet
and are separated from other networks via a firewall system with minimal
exposed ports.
o Do not use process control systems for internet surfing, instant messaging,
or receiving emails.
o Scan portable computers and removable storage media for malware prior
connection to a control system.
For more information, see Hitachi Energy's Security Advisory: 8DBD000167 .
CISA recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities. CISA reminds organizations to perform
proper impact analysis and risk assessment prior to deploying defensive
measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber
defense best practices are available for reading and download, including
Improving Industrial Control Systems Cybersecurity with Defense-in-Depth
Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage at cisa.gov/ics in the technical information paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing suspected malicious activity should follow established
internal procedures and report findings to CISA for tracking and correlation
against other incidents.
No known public exploitation specifically targeting this vulnerability has been
reported to CISA at this time. These vulnerabilities are exploitable remotely.
These vulnerabilities have low attack complexity.
This product is provided subject to this Notification and this Privacy & Use
policy.
Vendor
Hitachi Energy
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZOVlJMkNZI30y1K9AQgmTRAAi2LVADcmN9VaCxIKTFi6g8FxTirU+7lT
tGq90W4xBDM0V+TPMNnMuAOmb3MnSCiqIWuSe+GnjTiSCgjQpy7xq5XMvUNNeeQn
9mpNGBGZQrJ3mEZo1UZivc+hR13bWX+w+Pebv3XYbh/MqAe0tjdxen2bbHXla9jY
udDSsY2JslX2pIBW73/IRWIduQYqFKWusM4H4gUYVj5sOUdCw5KnhNA9BS3sNtGM
MHZ5IFfWeIF6HhjFYamafSjNzJkeoQ2wCvGO8pEJQRm85Uhfb3Vu8YLPhuUqs3j0
0Tsu0mAWBQpOxNKvgEdObjrbTUFGDeAWtbNnfJ3sj9NqPjKuN/F8v8yLKRTEob0L
yr0jDIH8PFEf7Ylr9lzWgtW+XM6SzAUltEvYEmu8ItLcEfkZg4VuMpYDWfPig0hp
gWjXLtPfzEnDQppU4Qv1y6McTlWtLPZjiHrkrjychxkbGLbA0nb5Q/aIld2c7cWm
/b7lKGe+x9aDn+Yechl4d/InpoMJDWiXdo4F8vb4wjrqOEM38cK+Pr1eK8BaRChR
A+0wg3humx1K7OxtMbhOWaXWWlLBSQ5MloQrl3EGoC9Hax/0B6X/aDz0SGurK22F
1/Kx+oV6kcoNpQ5rTiHSLMijmkjnb+z+5kHGCQJTVj8x6JnLUnpTfWZgQaMyfvfO
5dokmaIZOa8=
=KLfd
-----END PGP SIGNATURE-----