Hitachi Energy RTU500 series

Plan Patch7.5ICS-CERT ICSA-23-220-02Aug 8, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Buffer overflow vulnerability in Hitachi Energy RTU500 series CMU (communication module) firmware versions 13.3.1 and 13.3.2. The vulnerability exists in the HCI IEC 60870-5-104 protocol implementation. A remote attacker can send a malicious packet to the HCI interface, causing a buffer overflow that triggers a device reboot, temporarily disrupting SCADA communications. The vulnerability affects only devices with HCI IEC 60870-5-104 and IEC 62351-5 (or IEC 62351-3) configured and enabled. By default, these features are disabled.

What this means

What could happen

A buffer overflow in the RTU500's communication module could allow an attacker to reboot the device remotely, causing loss of real-time monitoring and control of the distribution network until it recovers.

Who's at risk

Operators of Hitachi Energy RTU500 series remote terminal units (RTUs) used in electric distribution and generation facilities should assess whether the HCI IEC 60870-5-104 communication protocol is enabled on their devices. This protocol is used for SCADA master-to-RTU communication in distribution automation networks. If the protocol is enabled, the device is vulnerable to remote reboot attacks.

How it could be exploited

An attacker with network access to the RTU500 can send a specially crafted packet to the HCI IEC 60870-5-104 protocol interface (if enabled) to trigger a buffer overflow, causing the device to reboot and temporarily interrupt SCADA communications.

Prerequisites

Network reachability to the RTU500 device on the HCI IEC 60870-5-104 port (typically 2404/TCP for IEC 60870-5-104)
HCI IEC 60870-5-104 function must be enabled on the device (disabled by default)
No authentication required

remotely exploitableno authentication requiredlow complexityaffects SCADA RTU (operational impact)HCI IEC 60870-5-104 must be explicitly enabled but is disabled by default (reduces immediate risk)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

RTU500 series CMU: >= 13.3.1 | <= 13.3.2≥ 13.3.1 | ≤ 13.3.213.3.3 or 13.4.1

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDDisable HCI IEC 60870-5-104 function if not required for operations

WORKAROUNDDisable IEC 62351-3 and IEC 62351-5 features on the HCI interface if they are not used

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CMU Firmware to version 13.3.3 or 13.4.1

Long-term hardening

0/3

HARDENINGImplement network segmentation to isolate RTU500 devices from external networks; restrict inbound access on IEC 60870-5-104 ports to authorized SCADA gateways only

HARDENINGEnsure RTU500 devices have no direct internet connectivity and are behind firewall with minimal exposed ports

HARDENINGEnforce strong password policies on engineering and administrative accounts

CVEs (2)

CVE-2022-2502 CVE-2022-4608

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0a74ac78-32f4-4c57-ac9f-316255b74579