OTPulse
FeedAboutContact

Hitachi Energy RTU500

Monitor7.5ICS-CERT ICSA-22-235-07Aug 23, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A stack overflow vulnerability in Hitachi Energy RTU500 series CMU devices allows an attacker to send specially crafted Modbus TCP packets at high rates, causing the device to reboot. The vulnerability affects firmware versions 12.0.1–12.0.13, 12.2.1–12.2.11, 12.4.1–12.4.11, 12.6.1–12.6.7, 12.7.1–12.7.3, 13.2.1–13.2.4, and 13.3.1. Successful exploitation results in denial of service and interruption of substation communications and control operations.

What this means
What could happen
An attacker could send malicious Modbus TCP traffic to an RTU500 causing a stack overflow, forcing the device to reboot and interrupting real-time communications and control operations at substations or remote sites.
Who's at risk
Energy utilities and operators responsible for substations and remote terminal units. Specifically affects RTU500 series Compact Modular Units (CMU) used as intelligent gateway devices in substations for SCADA communications and distributed control.
How it could be exploited
An attacker with network access to the RTU500's Modbus TCP port (typically 502) sends specially crafted high-rate packets that overflow the device's stack buffer. The device reboots, disrupting SCADA communications and control commands to/from the substation.
Prerequisites
  • Network access to Modbus TCP port (default 502) on RTU500
  • No authentication required to send Modbus packets
  • Device must be on a reachable network segment
Remotely exploitableNo authentication requiredLow complexity attackDefault Modbus TCP port exposedCauses denial of service to control operationsAffects critical infrastructure
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
RTU500 series CMU: Firmware12.4.1-12.4.11; 12.7.1-12.7.3; 12.6.1-12.6.7 and 4 moreNo fix yet
Remediation & Mitigation
0/9
Do now
0/1
WORKAROUNDRestrict Modbus TCP access (port 502) to only authorized SCADA servers and engineering workstations using firewall rules
Schedule — requires maintenance window
0/7

Patching may require device reboot — plan for process interruption

HOTFIXUpdate RTU500 series CMU firmware to version 12.0.14.0 or higher (applicable branch)
HOTFIXUpdate RTU500 series CMU firmware to version 12.2.12.0 or higher (applicable branch)
HOTFIXUpdate RTU500 series CMU firmware to version 12.4.12.0 or higher (applicable branch)
HOTFIXUpdate RTU500 series CMU firmware to version 12.6.8.0 or higher (applicable branch)
HOTFIXUpdate RTU500 series CMU firmware to version 12.7.4.0 or higher (applicable branch)
HOTFIXUpdate RTU500 series CMU firmware to version 13.2.5.0 or higher (applicable branch)
HOTFIXUpdate RTU500 series CMU firmware to version 13.3.2.0 or higher (applicable branch)
Long-term hardening
0/1
HARDENINGIsolate RTU500 devices on a dedicated control network segment separated from corporate networks and the internet
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/e77b7a59-13f7-43c2-a67b-12cc03ff51ba
Hitachi Energy RTU500 | CVSS 7.5 - OTPulse