Hitachi Energy AFF660/665 Series

Act Now9.8ICS-CERT ICSA-22-263-02Sep 20, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Buffer overflow vulnerability in Hitachi Energy AFF660 and AFF665 Series firmware version 03.0.02 and earlier. Successful exploitation could overflow a buffer on the device and fully compromise it, allowing an attacker to execute arbitrary code.

What this means

What could happen

An attacker could exploit this vulnerability to run arbitrary code on the AFF660/665 protection relay, potentially disabling protective functions or causing abnormal power system operation. This could lead to uncontrolled power flow, equipment damage, or loss of protection coordination in the electrical grid.

Who's at risk

Electric utility operators using Hitachi Energy AFF660 or AFF665 protection relays in medium to large substations or generating stations. These devices are critical protective equipment in the high-voltage power system; compromise could affect protection coordination and grid stability.

How it could be exploited

An attacker with network access to the HTTP/HTTPS interface of the AFF660 or AFF665 device sends a specially crafted request that triggers a buffer overflow in the firmware. This allows execution of arbitrary code with full device privileges, compromising the protective relay function.

Prerequisites

Network access to HTTP or HTTPS port on the device
Device is running vulnerable firmware version 03.0.02 or earlier
HTTP or HTTPS server is enabled on the device

remotely exploitableno authentication requiredlow complexity attackno patch availableaffects safety systems (protection relay)critical CVSS score (9.8)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

AFF660 FW:≤ 03.0.02No fix (EOL)

AFF665 FW:≤ 03.0.02No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDEnable the IP Access Restriction feature to limit HTTP and HTTPS traffic to trusted administrative networks only

WORKAROUNDDisable HTTP and HTTPS server on AFF660/AFF665 devices if remote management is not required

Mitigations - no patch available

0/4

The following products have reached End of Life with no planned fix: AFF660 FW:, AFF665 FW:. Apply the following compensating controls:

HARDENINGImplement network segmentation with a firewall between the protection relay and other networks, allowing only necessary ports for SCADA/EMS communication

HARDENINGEnsure physical protection of the control system from unauthorized access

HARDENINGDo not connect the protection relay directly to the Internet

HARDENINGScan any portable computers or removable media for malware before connecting to the control system

CVEs (1)

CVE-2020-6994

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c5e0f3bc-1b1d-404b-9ca1-1b2dc6b2262c