Hitachi Energy Modular Switchgear Monitoring (MSM)

Monitor5ICS-CERT ICSA-22-277-02Oct 4, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

Hitachi Energy Modular Switchgear Monitoring (MSM) versions 2.2 and earlier contain cross-site request forgery (CWE-352) and HTTP response splitting (CWE-113) vulnerabilities. Successful exploitation could allow an attacker to perform malicious command injection, trick authorized users into downloading malicious software to their computers, or pose as a legitimate user to perform unauthorized actions on the MSM system. The vulnerabilities can be exploited remotely via phishing emails containing malicious links to the MSM system, but require user interaction (clicking the link).

What this means

What could happen

An attacker could trick an authorized user into downloading malicious software onto their computer or performing unauthorized actions by posing as a legitimate user, potentially compromising the integrity of switchgear monitoring and control data.

Who's at risk

Energy utilities and industrial facilities operating Hitachi Energy Modular Switchgear Monitoring (MSM) systems should be concerned. This affects anyone who relies on MSM to monitor and control high-voltage switchgear, which is critical infrastructure at power generation stations, substations, and distribution centers.

How it could be exploited

The attacker sends a phishing email with a malicious link to the MSM system. When a valid user clicks the link, they are tricked into downloading malicious software to their computer or unknowingly performing actions that compromise the system. The attack exploits cross-site request forgery (CSRF) and HTTP response splitting vulnerabilities to manipulate user actions.

Prerequisites

User must click a malicious link in an email
Link must be to the MSM system
User must be authorized to access MSM
User must have a web browser capable of executing embedded scripts

remotely exploitableuser interaction requiredno patch availableaffects critical energy infrastructurelow CVSS score but CSRF/phishing-based attacks are common

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (1)

ProductAffected VersionsFix Status

MSM:≤ 2.2No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDDo not click links to MSM systems that arrive via email; instead navigate directly to the MSM system using a known URL or bookmark.

WORKAROUNDReport suspicious emails claiming to be from MSM or requesting MSM access to your IT administrator immediately.

HARDENINGScan all portable computers and removable storage media with antivirus software before connecting them to the network.

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGConfigure email security controls to block or flag emails containing links to MSM systems.

HARDENINGEnsure MSM is only used to access authorized information; disable or restrict internet access for non-essential functions.

Mitigations - no patch available

0/1

MSM: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement web application firewall (WAF) rules to detect and block CSRF and HTTP response splitting attacks.

CVEs (2)

CVE-2021-40335 CVE-2021-40336

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6fa66c58-30e1-462e-a6ec-e44329dd0079