Hitachi Energy FOXMAN-UN
Plan Patch8.3ICS-CERT ICSA-23-005-02Jan 5, 2023
Attack VectorAdjacent
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
FOXMAN-UN contains multiple cryptographic and encryption vulnerabilities (CWE-326: inadequate encryption strength, CWE-321: use of hard-coded cryptographic key, CWE-319: cleartext transmission, CWE-1394: use of inherently dangerous function) that allow an attacker with network access to intercept or manipulate management communications, gain unauthorized access to managed network elements, or cause availability disruptions. The affected versions are R9C, R10C, R11A, R11B, R14A, R14B, R15A, and R15B. Successful exploitation could allow an unauthorized user to obtain sensitive information, gain access to network elements managed by FOXMAN-UN, and cause availability issues.
What this means
What could happen
An attacker with network access to FOXMAN-UN could intercept or manipulate management communications, gain unauthorized access to managed network elements, or disrupt availability of the energy management system. This could prevent operators from monitoring or controlling critical grid infrastructure.
Who's at risk
Energy utilities operating Hitachi Energy FOXMAN-UN (versions R9C through R16A) for network management and control should assess this risk. This affects centralized energy management systems responsible for monitoring and controlling generation, transmission, and distribution infrastructure. Any utility using FOXMAN-UN for supervisory and management functions is in scope.
How it could be exploited
An attacker on the local network or with network connectivity to the FOXMAN-UN management interface could exploit weak cryptographic implementation (CWE-326, CWE-321) or unencrypted communications (CWE-319) to intercept credentials, session tokens, or configuration data. The attacker could then use this access to authenticate as a legitimate user and reconfigure managed network elements or extract sensitive operational data.
Prerequisites
- Network access to FOXMAN-UN management interface (NMS CLIENT/SERVER port)
- No credentials required for initial interception of unencrypted traffic
remotely exploitableno authentication required for traffic interceptionlow attack complexityno patch available for most versionsweak cryptographic implementationaffects grid management and visibility
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (9)
1 with fix8 EOL
ProductAffected VersionsFix Status
FOXMAN-UN: FOXMAN-UN R14BR14BNo fix (EOL)
FOXMAN-UN: FOXMAN-UN R16AR16AR16A
FOXMAN-UN: FOXMAN-UN R15AR15ANo fix (EOL)
FOXMAN-UN: FOXMAN-UN R14AR14ANo fix (EOL)
FOXMAN-UN: FOXMAN-UN R11BR11BNo fix (EOL)
FOXMAN-UN: FOXMAN-UN R10CR10CNo fix (EOL)
FOXMAN-UN: FOXMAN-UN R9CR9CNo fix (EOL)
FOXMAN-UN: FOXMAN-UN R15BR15BNo fix (EOL)
Remediation & Mitigation
0/7
Do now
0/3WORKAROUNDEncrypt all NMS CLIENT/SERVER communication channels using TLS or equivalent strong encryption
WORKAROUNDAvoid using embedded FOXCST with RADIUS authentication; use external authentication or alternative protocols
WORKAROUNDImplement secure file handling procedures for exported FOXMAN-UN configuration files; store encrypted and restrict access
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpgrade FOXMAN-UN to R16A if operationally feasible; note that full remediation for CVE-2021-40341 and CVE-2021-40342 is pending in a future release
Mitigations - no patch available
0/3The following products have reached End of Life with no planned fix: FOXMAN-UN: FOXMAN-UN R14B, FOXMAN-UN: FOXMAN-UN R15A, FOXMAN-UN: FOXMAN-UN R14A, FOXMAN-UN: FOXMAN-UN R11B, FOXMAN-UN: FOXMAN-UN R10C, FOXMAN-UN: FOXMAN-UN R9C, FOXMAN-UN: FOXMAN-UN R15B, FOXMAN-UN: FOXMAN-UN R11A. Apply the following compensating controls:
HARDENINGImplement network segmentation: isolate FOXMAN-UN and managed network elements from the general corporate network using a firewall with minimal open ports
HARDENINGRestrict physical access to FOXMAN-UN servers and NMS workstations to authorized personnel only
HARDENINGDisable internet connectivity on FOXMAN-UN hosts and connected management workstations
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/6ce37ad8-9b52-44a7-97d3-c7e86ad71df9