Multiple Vulnerabilities in Hitachi Energy RTU500 Series
Plan Patch8.2ICS-CERT ICSA-24-116-01Apr 25, 2024
Summary
Hitachi Energy RTU500 series CMU firmware contains an unsafe file upload vulnerability (CWE-434) that allows authenticated attackers to upload or transfer files of dangerous types that are automatically processed by the device. Affected firmware versions include 12.0.1–12.0.14, 12.2.1–12.2.11, 12.4.1–12.4.11, 12.6.1–12.6.9, 12.7.1–12.7.6, 13.2.1–13.2.6, 13.4.1–13.4.4, and 13.5.1–13.5.3. Hitachi Energy has released patches only for versions 12.7.1–12.7.6 (update to 12.7.7) and 13.2.1–13.2.6 (update to 13.2.7). For other affected versions, the vendor recommends network segmentation, firewall rules, physical access controls, and other compensating controls.
What this means
What could happen
An attacker with engineering access to the RTU500 could upload malicious files that the device automatically processes, potentially allowing execution of arbitrary code that could alter control logic, change setpoints, or disrupt critical power grid operations.
Who's at risk
Energy utilities and power generation facilities operating Hitachi Energy RTU500 series Remote Terminal Units should care about this vulnerability. RTU500 devices are used in substation automation and power distribution control. All versions of RTU500 CMU firmware from 12.0.1 through 13.5.3 are affected, with only two version branches (12.7 and 13.2) having patches available.
How it could be exploited
An attacker must gain network access to the RTU500 CMU and authenticate with valid engineering credentials. Once authenticated, they can exploit the unsafe file upload mechanism to transfer executable or script files that the device will automatically process, leading to code execution with the same privileges as the device.
Prerequisites
- Network access to RTU500 CMU management interface (port/protocol details not specified in advisory)
- Valid engineering or maintenance credentials for the CMU
- Knowledge of the file types the device will automatically process
Requires valid engineering credentials (high barrier to entry)Network-accessible management interfaceLow complexity exploitation once authenticatedNo patches available for 6 of 8 affected firmware branchesAffects critical energy sector infrastructureUnsafe file upload processing could lead to code execution
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (8)
8 pending
ProductAffected VersionsFix Status
RTU500 series CMU Firmware: >=12.0.1|<=12.0.14≥ 12.0.1|≤ 12.0.14No fix yet
RTU500 series CMU Firmware: >=12.2.1|<=12.2.11≥ 12.2.1|≤ 12.2.11No fix yet
RTU500 series CMU Firmware: >=12.4.1|<=12.4.11≥ 12.4.1|≤ 12.4.11No fix yet
RTU500 series CMU Firmware: >=12.6.1|<=12.6.9≥ 12.6.1|≤ 12.6.9No fix yet
RTU500 series CMU Firmware: >=12.7.1|<=12.7.6≥ 12.7.1|≤ 12.7.6No fix yet
RTU500 series CMU Firmware: >=13.2.1|<=13.2.6≥ 13.2.1|≤ 13.2.6No fix yet
RTU500 series CMU Firmware: >=13.4.1|<=13.4.4≥ 13.4.1|≤ 13.4.4No fix yet
RTU500 series CMU Firmware: >=13.5.1|<=13.5.3≥ 13.5.1|≤ 13.5.3No fix yet
Remediation & Mitigation
0/7
Do now
0/2WORKAROUNDFor affected versions without patches (12.0.1–12.0.14, 12.2.1–12.2.11, 12.4.1–12.4.11, 12.6.1–12.6.9, 13.4.1–13.4.4, 13.5.1–13.5.3), restrict network access to the RTU500 CMU management interface using firewall rules allowing only authorized engineering workstations
WORKAROUNDDisable or restrict the file upload/transfer functionality on the RTU500 CMU if it is not required for normal operations
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate RTU500 series CMU Firmware to version 12.7.7 if currently running version 12.7.1–12.7.6
HOTFIXUpdate RTU500 series CMU Firmware to version 13.2.7 if currently running version 13.2.1–13.2.6
Long-term hardening
0/3HARDENINGPhysically protect RTU500 devices from unauthorized access and prevent direct Internet connections
HARDENINGImplement network segmentation to isolate process control systems (including RTU500) from corporate networks and external access using firewall rules with minimal exposed ports
HARDENINGScan portable computers and removable storage media for malware before connecting them to the RTU500 or control system network
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/20f1097f-6d23-4f54-bf3a-0a08700e7668