Hitachi Energy Lumada Asset Performance Management

Act Now7.5ICS-CERT ICSA-23-005-03Jan 5, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Hitachi Energy Lumada Asset Performance Management (APM) versions 6.1.0.0 through 6.5.0.0 contain vulnerabilities that can cause denial-of-service or remote code execution. The vulnerabilities are in the APM application's handling of network requests (CWE-1357 - Reliance on Insufficiently Trustworthy Source). An unauthenticated attacker can trigger these conditions from the network without requiring user interaction. Hitachi Energy has released fixed versions: 6.5.0.1 or later for all vulnerabilities, and 6.4.0.1 for CVE-2022-37434 specifically. Cloud-based deployments are already remediated. No public exploits are currently available, but the high EPSS score indicates active exploitation risk.

What this means

What could happen

An attacker could cause the Lumada APM system to become unavailable, interrupting asset performance monitoring across your generation, transmission, or distribution infrastructure. In certain conditions, remote code execution is possible, allowing an attacker to run commands on the APM server itself.

Who's at risk

Energy utilities operating Lumada Asset Performance Management on-premises installations should prioritize this. If you use Lumada APM to monitor generation, transmission, or distribution assets, you are affected. Cloud-based (SaaS) users of Lumada APM are already protected by Hitachi Energy. The vulnerability affects both Windows and Linux deployments of Lumada APM versions 6.1.0.0 through 6.5.0.0.

How it could be exploited

An attacker on the network (or reaching the system across the Internet if exposed) can send a specially crafted request to Lumada APM that triggers a denial-of-service condition or executes arbitrary code on the APM server. No authentication is required to exploit these vulnerabilities.

Prerequisites

Network access to the Lumada APM service (typically port 443 for HTTPS)
No credentials required for exploitation
System running Lumada APM version 6.1.0.0 through 6.5.0.0

Remotely exploitableNo authentication requiredLow complexity attackHigh EPSS score (92.5%)Affects monitoring and control systemsDefault or no network isolation likely in legacy deployments

Exploitability

High exploit probability (EPSS 92.5%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Lumada Asset Performance Management (APM): Lumada APM:6.5.0.06.5.0.1 or later

Lumada Asset Performance Management (APM): Lumada APM:≥ 6.1.0.0 | ≤ 6.4.0.0 (CVE-2022-37434 only)6.5.0.1 or later

Remediation & Mitigation

0/5

Do now

0/3

Lumada Asset Performance Management (APM): Lumada APM:

HARDENINGIsolate Lumada APM from direct Internet access; ensure the system is behind a firewall and only reachable from authorized management networks

HARDENINGRestrict network access to Lumada APM to authorized users and systems only; minimize exposed ports

WORKAROUNDIf remote access to Lumada APM is required, use a VPN connection and keep VPN software updated

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Lumada Asset Performance Management (APM): Lumada APM:

HOTFIXUpdate Lumada APM to version 6.5.0.1 or later (covers all vulnerabilities including CVE-2022-37434)

HOTFIXIf running Lumada APM version 6.4.0.0 or earlier and cannot upgrade immediately, update to version 6.4.0.1 as a minimum to address CVE-2022-37434

CVEs (3)

CVE-2022-3602 CVE-2022-3786 CVE-2022-37434

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e411a89e-24c2-43d3-8452-98713f76282c