OTPulse
FeedAboutContact

Hitachi Energy Asset Suite 9

Monitor6.9ICS-CERT ICSA-24-095-01Apr 4, 2024
Summary

An authentication anomaly in Hitachi Energy Asset Suite allows an attacker to invoke the REST service without valid credentials. Successful exploitation could allow unauthorized access to REST API functions. The vulnerability affects Asset Suite versions before 9.6.3.13 and before 9.6.4.1.

What this means
What could happen
An attacker could bypass authentication controls and access the REST API of Asset Suite, potentially allowing them to query or modify critical energy asset data, configurations, or operational parameters.
Who's at risk
Energy sector organizations running Hitachi Energy Asset Suite versions prior to 9.6.3.13 or 9.6.4.1. This includes utilities managing electrical generation, distribution, and transmission assets that rely on Asset Suite for asset inventory, configuration, and lifecycle management.
How it could be exploited
An attacker on a network with access to the Asset Suite REST service endpoint exploits an authentication anomaly to invoke API calls without providing valid credentials or by circumventing the authentication check, gaining unauthorized access to asset management functions.
Prerequisites
  • Network access to the Asset Suite REST service endpoint
  • Knowledge of the REST API endpoint URLs
Remotely exploitableAuthentication bypassLow complexity attackAffects energy asset management systems
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Asset Suite: <9.6.3.13<9.6.3.139.6.3.13 or 9.6.4.1
Asset Suite: <9.6.4.1<9.6.4.19.6.3.13 or 9.6.4.1
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDRestrict network access to Asset Suite REST service endpoints using firewall rules; only allow connections from authorized engineering workstations and management networks
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Asset Suite to version 9.6.3.13 or 9.6.4.1
Long-term hardening
0/2
HARDENINGIsolate Asset Suite systems behind a firewall and on a separate network segment from the business network
HARDENINGImplement VPN access for any remote administration of Asset Suite, ensuring VPN is kept current with security updates
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/f76bbf9f-31f2-4cd6-a228-c5ba5fb6361b
Hitachi Energy Asset Suite 9 | CVSS 6.9 - OTPulse