Hitachi Energy RTU500 OpenLDAP

Monitor7.5ICS-CERT ICSA-21-341-01Dec 7, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The RTU500 series CMU (Communications Module Unit) contains vulnerabilities in OpenLDAP handling (CWE-843, CWE-617) that allow remote attackers to cause denial-of-service conditions. The vulnerabilities affect firmware versions 12.6.X, 12.7.X, 13.0.X, 13.1.X, and 13.2.X when the CAM (Command Access Module) function is enabled. The CAM function is disabled by default. Exploitation requires only network access and no authentication or user interaction. Hitachi Energy has released firmware patches for most affected versions (v12.6.7, v12.7.2, v13.2.3) and recommends updating. Disabling the CAM function eliminates the attack surface if the module is not required.

What this means

What could happen

An attacker can remotely trigger a denial-of-service attack on the RTU500 CMU, causing it to become unresponsive and potentially disrupting real-time monitoring and control of the power distribution or transmission network.

Who's at risk

Energy utilities operating Hitachi Energy RTU500 series Remote Terminal Units (RTUs) with the CMU (Communications Module Unit) should be concerned. RTU500 devices are commonly used in substations and control centers for SCADA and distribution automation. Any site using the RTU500 in firmware versions 12.6.X, 12.7.X, 13.0.X, 13.1.X, or 13.2.X with the optional CAM (Command Access Module) function enabled is at risk.

How it could be exploited

An attacker with network access to the RTU500 CMU can send a specially crafted request that exploits the OpenLDAP vulnerability (CWE-843/CWE-617) to crash the device or hang a service. The device does not require authentication or a valid session for this attack.

Prerequisites

Network access to the RTU500 CMU on the port(s) used by the CAM function
CAM (Command Access Module) function must be configured and enabled on the device

remotely exploitableno authentication requiredlow complexityaffects real-time control systemsno patch available for firmware versions 12.4.X and 13.2.1

Exploitability

Moderate exploit probability (EPSS 2.2%)

Affected products (1)

ProductAffected VersionsFix Status

RTU500 Series CMU: Firmware12.6.X; 13.0.X; 13.2.1 and 3 moreNo fix yet

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDDisable the CAM (Command Access Module) function if it is not required for operations, as it is disabled by default and is the only attack surface for this vulnerability.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate RTU500 CMU firmware to: v12.6.7 (for 12.6.X), v12.7.2 (for 12.7.X), or v13.2.3 (for 13.0.X, 13.1.X, 13.2.X). See Hitachi Energy advisory 8DBD000066 for detailed update procedures.

Long-term hardening

0/3

HARDENINGRestrict network access to RTU500 CMU devices using firewall rules to allow only necessary engineering workstations and control system traffic; do not expose the device directly to the Internet.

HARDENINGImplement physical access controls to prevent unauthorized personnel from directly connecting to or tampering with RTU500 CMU devices.

HARDENINGIsolate process control network segments from general IT networks using firewalls with minimal exposed ports.

CVEs (2)

CVE-2020-36229 CVE-2020-36230

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/687f5957-9499-43f1-8785-a1d344ce5acf