Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.4826 ICS Advisory | ICSA-23-234-01 Hitachi Energy AFF66x 23 August 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Hitachi Energy AFF66x Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2022-3204 CVE-2021-43523 CVE-2020-13817 CVE-2020-11868 CVE-2019-11477 CVE-2018-18066 Original Bulletin: https://www.cisa.gov/news-events/ics-advisories/icsa-23-234-01 Comment: CVSS (Max): 9.6 CVE-2021-43523 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-23-234-01) Hitachi Energy AFF66x Release Date August 22, 2023 1. EXECUTIVE SUMMARY o CVSS v3 9.6 o ATTENTION: Exploitable remotely/low attack complexity o Vendor: Hitachi Energy o Equipment: AFF66x o Vulnerabilities: Cross-site Scripting, Use of Insufficiently Random Values, Origin Validation Error, Integer Overflow or Wraparound, Uncontrolled Resource Consumption, NULL Pointer Dereference 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to compromise availability, integrity, and confidentiality of the targeted devices. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Hitachi Energy reports these vulnerabilities affect the following AFF660/665 products: o AFF660/665: Firmware 03.0.02 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 CROSS-SITE SCRIPTING CWE-79 In uClibc and uClibc-ng before 1.0.39, incorrect handling of special characters in domain names DNS servers returned via gethostbyname, getaddrinfo, gethostbyaddr, and getnameinfo could lead to output of wrong hostnames (leading to domain hijacking) or injection into applications (leading to remote code execution, XSS, applications crashes, etc.). In other words, a validation step, which is expected in any stub resolver, does not occur. CVE-2021-43523 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:R/S:C/ C:H/I:H/A:H ). 3.2.2 USE OF INSUFFICIENTLY RANDOM VALUES CWE-330 ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 could allow remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must rely on unauthenticated IPv4 time sources. There must be an off-path attacker who could query time from the victim's ntpd instance. CVE-2020-13817 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:N/S:U/ C:N/I:H/A:H ). 3.2.3 ORIGIN VALIDATION ERROR CWE-346 ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 could allow an off-path attacker to block unauthenticated synchronization via a server mode packet with a spoofed source IP address because transmissions are rescheduled even when a packet lacks a valid origin timestamp. CVE-2020-11868 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:H ). 3.2.4 INTEGER OVERFLOW OR WRAPAROUND CWE-190 TCP_SKB_CB(skb)->tcp_gso_segs value is subject to an integer overflow in the Linux kernel when handling TCP selective acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit. CVE-2019-11477 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:H ). 3.2.5 UNCONTROLLED RESOURCE CONSUMPTION CWE-400 A vulnerability named "non-responsive delegation attack" (NRDelegation attack) has been discovered in various DNS resolving software. The NRDelegation attack works by having a malicious delegation with a considerable number of non-responsive nameservers. The attack starts by querying a resolver for a record that relies on those unresponsive nameservers. The attack could cause a resolver to spend time/resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. It could trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation, which could lead to degraded performance and eventually denial of service in orchestrated attacks. Unbound does not suffer from high CPU usage, but still requires resources to resolve the malicious delegation. Unbound will continue to try to resolve the record until it reaches hard limits. Based on the nature of the attack and the replies, Unbound could reach different limits. From version 1.16.3 on, Unbound introduces fixes for better performance when under load by cutting opportunistic queries for nameserver discovery and DNSKEY prefetching and limiting the number of times a delegation point can issue a cache lookup for missing records. CVE-2022-3204 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:H ). 3.2.6 NULL POINTER DEREFERENCE CWE-476 snmp_oid_compare in snmplib/snmp_api.c in NetSNMP before 5.8 has a NULL pointer exception bug that an unauthenticated attacker could use to remotely cause the instance to crash via a crafted UDP packet, resulting in denial of service. CVE-2018-18066 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Energy o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Switzerland 3.4 RESEARCHER Hitachi Energy reported these vulnerabilities to CISA. 4. MITIGATIONS Hitachi Energy recommends the following actions: o Update to upcoming AFF660/665 FW 04.6.01 release when available. o Configure only trusted DNS server(s). o Configure the NTP service with redundant trustworthy sources of time. o Restrict TCP/IP-based management protocols to trusted IP addresses. o Disable the SNMP server (CLI and web interface will continue to function as they use an internal connection). Hitachi Energy recommends the following general mitigations: o Recommended security practices and firewall configurations could help protect a process control network from attacks originating from outside the network. o Physically protect process control systems from direct access by unauthorized personnel. o Ensure process control systems have no direct connections to the internet and are separated from other networks via a firewall system with minimal exposed ports. o Do not use process control systems for internet surfing, instant messaging, or receiving emails. o Scan portable computers and removable storage media for malware prior connection to a control system. For more information, see Hitachi Energy's Security Advisory: 8DBD000167 . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity. This product is provided subject to this Notification and this Privacy & Use policy. Vendor Hitachi Energy - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZOVlJMkNZI30y1K9AQgmTRAAi2LVADcmN9VaCxIKTFi6g8FxTirU+7lT tGq90W4xBDM0V+TPMNnMuAOmb3MnSCiqIWuSe+GnjTiSCgjQpy7xq5XMvUNNeeQn 9mpNGBGZQrJ3mEZo1UZivc+hR13bWX+w+Pebv3XYbh/MqAe0tjdxen2bbHXla9jY udDSsY2JslX2pIBW73/IRWIduQYqFKWusM4H4gUYVj5sOUdCw5KnhNA9BS3sNtGM MHZ5IFfWeIF6HhjFYamafSjNzJkeoQ2wCvGO8pEJQRm85Uhfb3Vu8YLPhuUqs3j0 0Tsu0mAWBQpOxNKvgEdObjrbTUFGDeAWtbNnfJ3sj9NqPjKuN/F8v8yLKRTEob0L yr0jDIH8PFEf7Ylr9lzWgtW+XM6SzAUltEvYEmu8ItLcEfkZg4VuMpYDWfPig0hp gWjXLtPfzEnDQppU4Qv1y6McTlWtLPZjiHrkrjychxkbGLbA0nb5Q/aIld2c7cWm /b7lKGe+x9aDn+Yechl4d/InpoMJDWiXdo4F8vb4wjrqOEM38cK+Pr1eK8BaRChR A+0wg3humx1K7OxtMbhOWaXWWlLBSQ5MloQrl3EGoC9Hax/0B6X/aDz0SGurK22F 1/Kx+oV6kcoNpQ5rTiHSLMijmkjnb+z+5kHGCQJTVj8x6JnLUnpTfWZgQaMyfvfO 5dokmaIZOa8= =KLfd -----END PGP SIGNATURE-----