Hitachi Energy RTU500 series

Monitor7.5ICS-CERT ICSA-22-242-04Aug 30, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A buffer overflow vulnerability in Hitachi Energy RTU500 series CMU (Communication Module Unit) firmware affects devices with HCI Modbus TCP configured. Successful exploitation causes an internal buffer overflow that reboots the device, interrupting SCADA communications. The vulnerability is triggered by malformed Modbus TCP input and can be exploited remotely without authentication. Affected firmware versions include 12.0.x through 12.0.13.0, 12.2.x through 12.2.11.0, 12.4.x through 12.4.11.0, 12.6.x through 12.6.7.0, 12.7.x through 12.7.3.0, and 13.2.x through 13.2.4.0. Hitachi Energy has released firmware updates for each version branch. The vulnerability affects only devices with HCI Modbus TCP enabled; this function is disabled by default.

What this means

What could happen

An attacker on the network can send a malformed message to the RTU's Modbus TCP interface, causing a buffer overflow that reboots the device and interrupts remote monitoring and control functions at generation, transmission, or distribution facilities.

Who's at risk

Energy sector operators managing Hitachi Energy RTU500 remote terminal units at generation stations, substations, or distribution control centers should review this advisory. RTU500 series are critical SCADA devices used for telemetry and control across the bulk electric system and local distribution networks.

How it could be exploited

An attacker sends a crafted Modbus TCP packet to the RTU500's HCI Modbus TCP port (typically 502). The malformed input triggers a buffer overflow in the CMU firmware, causing the device to reboot and drop communications with SCADA systems until it restarts.

Prerequisites

Network access to RTU500 Modbus TCP port (default 502)
HCI Modbus TCP function must be enabled on the device

Remotely exploitableNo authentication requiredLow attack complexityCauses denial of service to monitoring and control functions

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

RTU500 series CMU Firmware:12.2; 12.6; 12.7 and 3 moreNo fix yet

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDIf HCI Modbus TCP is not required for operations, disable the function in RTU500 configuration. HCI Modbus TCP is disabled by default; verify your device settings.

HARDENINGUse firewall rules to restrict access to Modbus TCP port (502) on RTU500 devices to only authorized engineering networks and SCADA systems.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate RTU500 CMU firmware to patched version: 12.0.14.0 or higher (if running 12.0.x), 12.2.12.0 or higher (if running 12.2.x), 12.4.12.0 or higher (if running 12.4.x), 12.6.8.0 or higher (if running 12.6.x), 12.7.4.0 or higher (if running 12.7.x), or 13.2.5.0/13.3.1.0 or higher (if running 13.2.x).

Long-term hardening

0/1

HARDENINGIsolate RTU500 and other control system networks from business networks and the internet using network segmentation and firewalls.

CVEs (1)

CVE-2022-28613

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/54faa0b2-b345-46bf-800f-5cc9a3166162