Hitachi Energy's RTU500 Series Product (UPDATE B)

Act Now9.8ICS-CERT ICSA-23-143-02May 5, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

RTU500 series Remote Terminal Unit (RTU) with CMU (Communications Module Unit) firmware contains multiple vulnerabilities (CWE-843, CWE-208, CWE-125, CWE-835, CWE-120) that allow remote denial-of-service and crash attacks. Affected firmware versions: 12.0.1–12.0.15, 12.2.1–12.2.12, 12.4.1–12.4.12, 12.6.1–12.6.9, 12.7.1–12.7.6, 13.2.1–13.2.6, 13.3.1–13.3.3, and 13.4.1–13.4.2.

What this means

What could happen

An attacker with network access to the RTU500 CMU could crash the device or cause a loss of communications and telemetry, disrupting grid operations and preventing remote control or monitoring of substations and field equipment.

Who's at risk

This affects electric utilities and grid operators who deploy Hitachi Energy RTU500 series units in substations and remote terminal locations for SCADA telemetry, remote switching, and monitoring. Any organization running RTU500 CMU firmware in versions 12.0.1 through 13.4.2 is vulnerable.

How it could be exploited

An attacker on the network sends crafted packets or malformed data to the RTU500 CMU on the network port used for communications or management. The firmware fails to properly validate the input, triggering a buffer overflow or logic error that crashes the device or causes it to stop responding to legitimate commands.

Prerequisites

Network access to the RTU500 CMU communications or management port
No authentication credentials required

remotely exploitableno authentication requiredlow complexityhigh EPSS score (88.5%)affects critical energy infrastructure

Exploitability

High exploit probability (EPSS 88.5%)

Affected products (8)

8 pending

ProductAffected VersionsFix Status

RTU500 series CMU Firmware: >=12.0.1|<=12.0.15≥ 12.0.1|≤ 12.0.15No fix yet

RTU500 series CMU Firmware: >=12.2.1|<=12.2.12≥ 12.2.1|≤ 12.2.12No fix yet

RTU500 series CMU Firmware: >=12.4.1|<=12.4.12≥ 12.4.1|≤ 12.4.12No fix yet

RTU500 series CMU Firmware: >=12.6.1|<=12.6.9≥ 12.6.1|≤ 12.6.9No fix yet

RTU500 series CMU Firmware: >=12.7.1|<=12.7.6≥ 12.7.1|≤ 12.7.6No fix yet

RTU500 series CMU Firmware: >=13.2.1|<=13.2.6≥ 13.2.1|≤ 13.2.6No fix yet

RTU500 series CMU Firmware: >=13.3.1|<=13.3.3≥ 13.3.1|≤ 13.3.3No fix yet

RTU500 series CMU Firmware: >=13.4.1|<=13.4.2≥ 13.4.1|≤ 13.4.2No fix yet

Remediation & Mitigation

0/8

Do now

0/2

WORKAROUNDImplement network segmentation to restrict access to RTU500 CMU communications ports to only authorized SCADA/EMS systems and engineering workstations

WORKAROUNDDeploy firewall rules or access lists to deny inbound traffic to the RTU500 CMU from untrusted networks

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

HOTFIXUpdate RTU500 CMU firmware to version 12.0.15 (for systems on 12.0.x branch)

HOTFIXUpdate RTU500 CMU firmware to version 12.2.12 (for systems on 12.2.x branch)

HOTFIXUpdate RTU500 CMU firmware to version 12.4.12 (for systems on 12.4.x branch)

HOTFIXUpdate RTU500 CMU firmware to version 12.6.9 (for systems on 12.6.x branch)

HOTFIXUpdate RTU500 CMU firmware to version 12.7.6 (for systems on 12.7.x branch)

Long-term hardening

0/1

HARDENINGFor RTU500 CMU firmware versions 13.2.x, 13.3.x, and 13.4.x: Monitor Hitachi Energy advisories for planned firmware updates; no fix currently available

CVEs (6)

CVE-2023-0286 CVE-2022-4304 CVE-2022-23937 CVE-2022-0778 CVE-2021-3711 CVE-2021-3712

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b5f2c44f-64b4-43d6-a6e5-f3488fecbd96