Hitachi Energy FOXMAN-UN

Plan PatchCVSS 8.3ICS-CERT ICSA-23-005-02Jan 5, 2023

Hitachi EnergyEnergy

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

FOXMAN-UN contains multiple cryptographic and encryption vulnerabilities (CWE-326: inadequate encryption strength, CWE-321: use of hard-coded cryptographic key, CWE-319: cleartext transmission, CWE-1394: use of inherently dangerous function) that allow an attacker with network access to intercept or manipulate management communications, gain unauthorized access to managed network elements, or cause availability disruptions. The affected versions are R9C, R10C, R11A, R11B, R14A, R14B, R15A, and R15B. Successful exploitation could allow an unauthorized user to obtain sensitive information, gain access to network elements managed by FOXMAN-UN, and cause availability issues.

What this means

What could happen

An attacker with network access to FOXMAN-UN could intercept or manipulate management communications, gain unauthorized access to managed network elements, or disrupt availability of the energy management system. This could prevent operators from monitoring or controlling critical grid infrastructure.

Who's at risk

Energy utilities operating Hitachi Energy FOXMAN-UN (versions R9C through R16A) for network management and control should assess this risk. This affects centralized energy management systems responsible for monitoring and controlling generation, transmission, and distribution infrastructure. Any utility using FOXMAN-UN for supervisory and management functions is in scope.

How it could be exploited

An attacker on the local network or with network connectivity to the FOXMAN-UN management interface could exploit weak cryptographic implementation (CWE-326, CWE-321) or unencrypted communications (CWE-319) to intercept credentials, session tokens, or configuration data. The attacker could then use this access to authenticate as a legitimate user and reconfigure managed network elements or extract sensitive operational data.

Prerequisites

Network access to FOXMAN-UN management interface (NMS CLIENT/SERVER port)
No credentials required for initial interception of unencrypted traffic

remotely exploitableno authentication required for traffic interceptionlow attack complexityno patch available for most versionsweak cryptographic implementationaffects grid management and visibility

Exploitability

Unlikely to be exploited — EPSS score 0.5%

Affected products (9)

1 with fix8 EOL

ProductAffected VersionsFix Status

FOXMAN-UN: FOXMAN-UN R14BR14BNo fix (EOL)

FOXMAN-UN: FOXMAN-UN R16AR16AR16A

FOXMAN-UN: FOXMAN-UN R15AR15ANo fix (EOL)

FOXMAN-UN: FOXMAN-UN R14AR14ANo fix (EOL)

FOXMAN-UN: FOXMAN-UN R11BR11BNo fix (EOL)

FOXMAN-UN: FOXMAN-UN R10CR10CNo fix (EOL)

FOXMAN-UN: FOXMAN-UN R9CR9CNo fix (EOL)

FOXMAN-UN: FOXMAN-UN R15BR15BNo fix (EOL)

Remediation & Mitigation

0/7

Do now

0/3

WORKAROUNDEncrypt all NMS CLIENT/SERVER communication channels using TLS or equivalent strong encryption

WORKAROUNDAvoid using embedded FOXCST with RADIUS authentication; use external authentication or alternative protocols

WORKAROUNDImplement secure file handling procedures for exported FOXMAN-UN configuration files; store encrypted and restrict access

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade FOXMAN-UN to R16A if operationally feasible; note that full remediation for CVE-2021-40341 and CVE-2021-40342 is pending in a future release

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: FOXMAN-UN: FOXMAN-UN R14B, FOXMAN-UN: FOXMAN-UN R15A, FOXMAN-UN: FOXMAN-UN R14A, FOXMAN-UN: FOXMAN-UN R11B, FOXMAN-UN: FOXMAN-UN R10C, FOXMAN-UN: FOXMAN-UN R9C, FOXMAN-UN: FOXMAN-UN R15B, FOXMAN-UN: FOXMAN-UN R11A. Apply the following compensating controls:

HARDENINGImplement network segmentation: isolate FOXMAN-UN and managed network elements from the general corporate network using a firewall with minimal open ports

HARDENINGRestrict physical access to FOXMAN-UN servers and NMS workstations to authorized personnel only

HARDENINGDisable internet connectivity on FOXMAN-UN hosts and connected management workstations

CVEs (5)

CVE-2021-40341 CVE-2021-40342 CVE-2022-3927 CVE-2022-3928 CVE-2022-3929

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6ce37ad8-9b52-44a7-97d3-c7e86ad71df9

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.