Hitachi Energy Lumada APM Edge

Act Now7.5ICS-CERT ICSA-23-255-01Sep 12, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Hitachi Energy Lumada APM Edge contains memory safety and information disclosure vulnerabilities (CWE-416, CWE-415, CWE-843, CWE-203) in versions 4.0 and 6.3. An attacker can trigger these flaws through the HAProxy API gateway to cause denial of service or leak sensitive information. Lumada APM Edge version 4.0 and earlier are end-of-life with no patches planned. Version 6.3 is vulnerable. The service relies on HAProxy and OpenSSL libraries, which must also be kept current.

What this means

What could happen

An attacker could exploit memory safety or information disclosure flaws in Lumada APM Edge to cause the system to become unavailable or leak sensitive data about your network or operations configuration.

Who's at risk

Energy utilities and industrial facilities using Hitachi Energy Lumada APM Edge for asset performance monitoring. This includes facilities with remote monitoring systems, edge computing gateways, or cloud-connected operational data collection. Particularly affects organizations running unsupported version 4.0 or the current version 6.3 without patches.

How it could be exploited

An attacker on the network (or the Internet if HAProxy is exposed) sends a specially crafted request to the Lumada APM Edge API gateway service. The request triggers a memory safety vulnerability that either crashes the service or allows reading sensitive information from memory. No authentication is required.

Prerequisites

Network access to the Lumada APM Edge API gateway (typically port 443 or 8080, exposed via HAProxy)
No authentication credentials required
Vulnerable Lumada APM Edge version 4.0 or 6.3 running

Remotely exploitable via networkNo authentication requiredLow complexity attackHigh EPSS score (88.5%)No patch available for version 4.0 (end-of-life)Service must be exposed to end users (API gateway role)

Exploitability

High exploit probability (EPSS 88.5%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Lumada APM Edge: <= 4.0≤ 4.06.5.0.2 or later

Lumada APM Edge: 6.36.36.5.0.2 or later

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDFor end-of-life Lumada APM Edge 4.0 and earlier: decommission the system or isolate it from network access; no vendor fix will be released

HARDENINGRestrict network access to Lumada APM Edge API gateway to only authorized users and engineering workstations; use firewall rules to limit exposed ports

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Lumada APM Edge to version 6.5.0.2 or later

HOTFIXEnsure HAProxy service and underlying OpenSSL libraries on the Lumada APM Edge system are updated to current versions

HOTFIXEnsure the operating system hosting Lumada APM Edge receives all applicable security patches

Long-term hardening

0/1

HARDENINGIf remote access to Lumada APM Edge is required, use a VPN and ensure the VPN client and server are kept current

CVEs (4)

CVE-2023-0215 CVE-2022-4450 CVE-2023-0286 CVE-2022-4304

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5746c87b-4f24-4ba8-b915-8359f3fc626c