Hitachi Energy Relion 670, 650 and SAM600-IO Series

Monitor4.5ICS-CERT ICSA-23-068-05Feb 28, 2023

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionRequired

Summary

CVE-2022-3864 affects Hitachi Energy Relion 670, 650, and SAM600-IO series devices. An attacker with high-level security credentials can trigger the device's firmware update mechanism and supply a malicious update package. Due to insufficient validation of the update package, the device crashes when attempting to verify the package, resulting in a forced reboot and temporary loss of protective relay function. After reboot, the device returns to normal operation.

What this means

What could happen

An attacker with security privileges can supply a malicious firmware update package to the device, triggering a crash that reboots the device and temporarily disrupts relay operations.

Who's at risk

Electric utilities operating Hitachi Energy Relion 670 and 650 series protective relays and SAM600-IO modules should evaluate this issue. These are critical relay protection devices used in substations and generation facilities to detect and isolate faults. Organizations using affected versions need firmware updates.

How it could be exploited

An attacker with high-level administrative access can trigger the firmware update mechanism on the device and supply a malicious update package. When the device attempts to verify the package, the flawed validation allows the tampered package to be processed, causing a crash and forced reboot.

Prerequisites

Administrative or security-level credentials on the device
Ability to initiate firmware update on the device
Device must be running an affected firmware version

High privileges requiredDevice restart / operational disruptionNo authentication bypassLow exploit probability

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

Relion 670 series2.2.0; ≥ 2.2.1.0|<2.2.1.8; ≥ 2.2.2.0|<2.2.2.5 and 3 more2.2.5.6 or latest

Relion 650 series2.2.0; ≥ 2.2.1.0|<2.2.1.8; ≥ 2.2.4.0|<2.2.4.3; ≥ 2.2.5.0|<2.2.5.52.2.5.6 or latest

SAM600-IO series≥ 2.2.1.0|<2.2.1.82.2.1.9 or latest

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict administrative credentials and firmware update access to authorized personnel only

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

Relion 670 series

HOTFIXUpdate Relion 670 series to firmware version 2.2.5.6 or latest

Relion 650 series

HOTFIXUpdate Relion 650 series to firmware version 2.2.5.6 or latest

SAM600-IO series

HOTFIXUpdate SAM600-IO series to firmware version 2.2.1.9 or latest

CVEs (1)

CVE-2022-3864

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4945d907-d3d4-4c88-9843-2ebffa6dab0c