Hitachi Energy AFS/AFR Series Products

Act Now7.5ICS-CERT ICSA-24-205-02Jul 23, 2024

Summary

Hitachi Energy AFS and AFR series frequency converters contain multiple memory safety vulnerabilities (CWE-843, CWE-416, CWE-415, CWE-203) that can be exploited by an attacker with network access to trigger a denial-of-service condition. The affected products include AFS650 (up to v9.1.08), AFS660-C/AFS665-B/AFS670-V2 (up to v7.1.05), AFS670/AFS675/AFS677/AFR677 (up to v9.1.08). Hitachi Energy has released firmware patches addressing these flaws.

What this means

What could happen

Successful exploitation of these memory safety vulnerabilities could enable an attacker to cause a denial-of-service condition in critical AFS/AFR frequency converters, disrupting power generation or distribution operations. No fix is available for any affected product line.

Who's at risk

Operators of Hitachi Energy AFS and AFR series frequency converters used in power generation and distribution facilities should take immediate action. These devices are critical to frequency conversion in substations and power plants. The AFS650, AFS660-C, AFS665-B, AFS670-V2, AFS670, AFS675, AFS677, and AFR677 models are all vulnerable.

How it could be exploited

An attacker who can reach the vulnerable device over the network (likely port 502 or vendor-proprietary management ports) can send specially crafted packets that trigger use-after-free or out-of-bounds memory access flaws. This crashes the firmware, causing the converter to stop processing and cutting power flow until the device is manually rebooted.

Prerequisites

Network access to the AFS/AFR device management or communications ports
Device must be running the affected firmware versions (AFS650/670/675/677 and AFR677 up to v9.1.08; AFS660-C/665-B/670-V2 up to v7.1.05)
No authentication or special credentials required

remotely exploitableno authentication requiredno patch availablehigh EPSS score (88.5%)affects critical power infrastructuredenial-of-service impact

Exploitability

High exploit probability (EPSS 88.5%)

Affected products (8)

8 with fix

ProductAffected VersionsFix Status

AFS665-B: <=7.1.05≤ 7.1.057.1.08

AFS650: <=9.1.08≤ 9.1.089.1.10

AFS660-C: <=7.1.05≤ 7.1.057.1.08

AFS670-V2: <=7.1.05≤ 7.1.057.1.08

AFS670: <=9.1.08≤ 9.1.089.1.10

AFS675: <=9.1.08≤ 9.1.089.1.10

AFS677: <=9.1.08≤ 9.1.089.1.10

AFR677: <=9.1.08≤ 9.1.089.1.10

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDImplement network firewall rules to restrict access to AFS/AFR device ports to only authorized engineering workstations and control network traffic

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate AFS650 firmware to version 9.1.10

HOTFIXUpdate AFS660-C, AFS665-B, AFS670-V2 firmware to version 7.1.08

HOTFIXUpdate AFS670, AFS675, AFS677, AFR677 firmware to version 9.1.10

Long-term hardening

0/2

HARDENINGPhysically isolate AFS/AFR converters from the business network using an air gap or dedicated firewall; ensure no direct Internet connectivity

HARDENINGDisable any remote management ports on AFS/AFR devices if not required for operations

CVEs (4)

CVE-2023-0286 CVE-2023-0215 CVE-2022-4450 CVE-2022-4304

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/074173ae-4e50-4091-9600-d5d4347c5c6e