OTPulse
FeedAboutContact

Hitachi Energy Gateway Station

Plan Patch7.5ICS-CERT ICSA-23-059-01Mar 6, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Hitachi Energy Gateway Station versions 3.2.0.0 and earlier contain vulnerabilities related to null pointer dereference (CWE-476) and infinite loops (CWE-835) in process handling. Successful exploitation causes affected modules to stop working and become unavailable. The vulnerabilities are remotely exploitable over the network without authentication. One vulnerability (CVE-2020-25692) specifically impacts configurations with the Authentication Service installed, which is used for centralized SDM600 user account management but is not installed by default.

What this means
What could happen
An attacker could cause the Gateway Station to stop working, disrupting communication and control functions across your energy infrastructure. This affects any HMI, SCADA, or remote access dependent on the gateway.
Who's at risk
Energy utilities and operators using Hitachi Energy Gateway Station for SCADA, remote access, or centralized gateway functions. Particularly critical for organizations that depend on the gateway for communication between control networks and operations centers.
How it could be exploited
An attacker with network access to the Gateway Station can send a specially crafted request that triggers a null pointer dereference or infinite loop, causing the affected modules to crash or become unresponsive.
Prerequisites
  • Network access to the Gateway Station
  • No authentication required
remotely exploitableno authentication requiredlow complexityhigh EPSS score (8.3%)affects availability of critical control systemsaffects all versions 3.2.0.0 and earlier
Exploitability
Moderate exploit probability (EPSS 8.3%)
Affected products (8)
8 with fix
ProductAffected VersionsFix Status
Gateway Station (GWS): 2.0.0.02.0.0.03.3.0.0
Gateway Station (GWS): 2.1.0.02.1.0.03.3.0.0
Gateway Station (GWS): 2.2.0.02.2.0.03.3.0.0
Gateway Station (GWS): 2.3.0.02.3.0.03.3.0.0
Gateway Station (GWS): 2.4.0.02.4.0.03.3.0.0
Gateway Station (GWS): 3.0.0.03.0.0.03.3.0.0
Gateway Station (GWS): 3.1.0.03.1.0.03.3.0.0
Gateway Station (GWS): 3.2.0.0 and earlier≤ 3.2.0.03.3.0.0
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDConfigure firewalls to restrict network access to Gateway Station from untrusted networks and external sources
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Gateway Station to version 3.3.0.0 or later
Long-term hardening
0/2
HARDENINGPhysically restrict access to Gateway Station hardware to authorized personnel only
HARDENINGIf using Authentication Service, review whether it is necessary for your deployment (required only for centralized SDM600 user account management)
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/5d392516-0dc7-4bab-b557-f2828dcc4eeb
Hitachi Energy Gateway Station | CVSS 7.5 - OTPulse