Hitachi ABB Power Grids AFS Series
Monitor6.5ICS-CERT ICSA-21-075-03Mar 16, 2021
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in Hitachi ABB Power Grids AFS660-SR and AFS665-SR Ethernet switches allows denial of service on one port in a HSR (High-availability Seamless Redundancy) ring topology. An attacker on the local network can send malformed HSR frames that cause the switch to misprocess them, resulting in one port becoming unavailable. This impacts the redundancy guarantees of the ring configuration. Hitachi ABB Power Grids has stated the vulnerability can be fixed by modifying how the switch processes HSR frames, but no patched firmware versions have been released yet for the affected product versions (7.0.07).
What this means
What could happen
An attacker on the local network could disrupt one port in a Hitachi ABB redundant ring topology by triggering a denial-of-service condition, potentially degrading network resilience if the ring cannot failover properly.
Who's at risk
Electric utility operators using Hitachi ABB AFS660-SR or AFS665-SR redundant Ethernet switches in protection and control systems for high-voltage substations. These switches are critical to maintaining network redundancy in substation automation systems.
How it could be exploited
An attacker with access to the same network segment as the AFS switch sends specially crafted HSR (High-availability Seamless Redundancy) frames that trigger a processing error in the switch, causing one port in the redundant ring to stop functioning.
Prerequisites
- Network access to the same Layer 2 network segment as the AFS660-SR or AFS665-SR switch (cannot be exploited remotely over routed networks)
- Ability to send raw Ethernet frames with HSR headers to the switch
No patch currently availableAffects redundancy systems in electrical infrastructureLocal network access required but difficult to detect
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (2)
2 pending
ProductAffected VersionsFix Status
AFS660-SR:7.0.07No fix yet
AFS665-SR:7.0.07No fix yet
Remediation & Mitigation
0/3
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate AFS660-SR and AFS665-SR switches to a patched version when available from Hitachi ABB Power Grids
Long-term hardening
0/2HARDENINGIsolate AFS switches from untrusted network segments using managed firewalls or network access controls
HARDENINGImplement network segmentation to ensure only authorized maintenance personnel and control devices can reach the AFS switches
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/3227bd3b-c9c1-494a-bb57-3cccc0e70605