U.S. Cybersecurity and Infrastructure Security Agency (CISA) released five ICS (industrial control systems) advisories providing timely information about current security issues, vulnerabilities, and exploits. The agency warned of the presence of hardware vulnerabilities in equipment from Hitachi Energy, ABB, and B&R deployed across the critical infrastructure sector.

In an advisory, CISA disclosed the presence of null pointer dereference, insufficient resource pool, and missing synchronization vulnerabilities in Hitachi Energy’s RTU500 series. “Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition.”

A vulnerability exists in the RTU500 web server component that can cause a denial of service to the RTU500 CMU application if a specially crafted message sequence is executed on a WebSocket connection. An attacker must be properly authenticated, and the test mode function of RTU500 must be enabled to exploit this vulnerability. The affected CMU will automatically recover itself if an attacker successfully exploits this vulnerability.

‘CVE-2024-10037’ has been assigned to this vulnerability. It has received a CVSS v3 base score of 4.9 and a CVSS v4 base score of 5.9.

A vulnerability exists in RTU500 IEC 60870-4-104 controlled station functionality that allows an authenticated and authorized attacker to perform a CMU restart. The vulnerability can be triggered if certificates are updated while in use on active connections. The affected CMU will automatically recover itself if an attacker successfully exploits this vulnerability.

The vulnerability has been designated with ‘CVE-2024-11499.’ It has received a CVSS v3 base score of 4.9, and a CVSS v4 base score of 6.9 has also been determined.

A vulnerability exists in RTU500 IEC 60870-5-104 controlled station functionality and IEC 61850 functionality, that allows an attacker performing a specific attack sequence to restart the affected CMU. This vulnerability only applies if secure communication using IEC 62351-3 (TLS) is enabled.

The vulnerability has been designated as CVE-2024-12169. It has received a CVSS v3 base score of 6.5, while the CVSS v4 assessment has determined a higher base score of 8.7.

A vulnerability exists in RTU IEC 61850 client and server functionality that could impact the availability if renegotiation of an open IEC61850 TLS connection takes place in specific timing situations when IEC61850 communication is active. The precondition is that IEC61850, as a client or server, is configured using TLS on an RTU500 device. It affects the CMU that the IEC61850 stack is configured on.

The vulnerability has been designated as CVE-2025-1445. It has received a CVSS v3 base score of 7.5, and a CVSS v4 base score of 8.7 has also been determined.

Deployed across the global energy sector, Hitachi Energy reported these vulnerabilities to CISA.

Hitachi Energy has identified specific workarounds and mitigations that users can apply to reduce risk. For all versions, apply general mitigation factors/workarounds. Upgrade the system once the remediated version is available, or apply general mitigation factors. RTU500 series CMU 12.0.1 – 12.0.14, 12.2.1 – 12.2.12, 12.4.1 – 12.4.11, 12.6.1 – 12.6.10, 12.7.1 – 12.7.7: Update to version 12.7.8 when available. RTU500 series CMU version 13.2.1 – 13.2.7, 13.4.1 – 13.4.4, 13.5.1 – 13.5.3, 13.6.1: Update to version 13.7.1

Additionally, RTU500 series CMU 13.5.1 – 13.5.3: Update to version 13.5.4 when available. RTU500 series CMU 13.6.1: Update to version 13.6.2 when available. (CVE-2024-11499, CVE-2025-1445) RTU500 series CMU 13.7.1 – 13.7.4: Update to version 13.7.6 when available, and (CVE-2024-12169) RTU500 series CMU 13.4.1 – 13.4.4, 13.5.1 – 13.5.3, 13.6.1, 13.7.1 – 13.7.4: Update to version 13.7.6 when available.

In another advisory, CISA revealed that Hitachi Energy’s TRMTracker equipment contained Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’), Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’), and Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerabilities. The affected products are TRMTracker versions 6.2.04 and prior and TRMTracker versions 6.3.0 and 6.3.01.

“Successful exploitation of these vulnerabilities could allow an attacker to execute limited remote commands, poison web-cache, or disclose and modify sensitive information,” the advisory added.

Deployed across the global energy sector, Eskom Holdings SOC Ltd., South Africa, reported these vulnerabilities to Hitachi Energy.

Hitachi Energy recommends that users of TRMTracker Versions 6.2.04 and below must update to v6.2.04.014 or v6.3.02, while users of TRMTracker versions 6.3.0 and 6.3.01 must update to v6.3.02. They must also apply general mitigation factors.

Hitachi Energy advises users to adopt security practices and firewall configurations to safeguard process control networks from external attacks. Key recommendations include physically securing systems from unauthorized access, ensuring no direct Internet connections, and using firewalls to limit exposed ports. Additionally, process control systems should not be used for activities like Internet browsing or email, and portable devices must be scanned for viruses before connecting. Implementing strong password policies is also essential.

The CISA disclosed that ABB’s ACS880 drives with IEC 61131-3 license contained improper input validation, out-of-bounds write, and improper restriction of operations within the bounds of a memory buffer vulnerabilities, Deployed across the global manufacturing sector, the advisory noted that “successful exploitation of these vulnerabilities could allow an attacker to gain full access to the device or cause a denial-of-service condition.”

ABB PSIRT reported these vulnerabilities to CISA.

ABB has identified workarounds and mitigations users can apply to reduce risk. These include ACS880 Primary Control Program AINLX, ACS880 Primary Control Program YINLX, ACS880 IGBT Supply Control Program AISLX, ACS880 IGBT Supply Control Program ALHLX, ACS880 IGBT Supply Control Program YISLX, ACS880 IGBT Supply Control Program YLHLX: In latest firmware versions for the affected products, ABB has mitigated the CODESYS Runtime System vulnerabilities. IEC online programming communication is disabled by default. As a result, CODESYS tools communication with the drive is disabled. ABB recommends that users apply the firmware update at earliest convenience.

Also, the advisory mentioned that ACS880 Position Control Program APCLX and ACS880 Test Bench Control Program ATBLX, for situations where firmware update is not feasible, please set parameter 196.102 to bit 2 to disable file download.

In another advisory, CISA disclosed that ABB DCT880 memory unit including ABB Drive Application Builder license (IEC 61131-3), DCT880 memory unit including Power Optimizer, DCS880 memory unit including ABB Drive Application Builder license (IEC 61131-3), DCS880 memory unit including DEMag, and DCS880 memory unit including DCC contained improper input validation, out-of-bounds write, and improper restriction of operations within the bounds of a memory buffer vulnerabilities.

“Successful exploitation of these vulnerabilities could allow attackers to trigger a denial-of-service condition or execute arbitrary code over the fieldbus interfaces,” CISA added.

Deployed across the critical manufacturing sector, ABB PSIRT reported these vulnerabilities to CISA. If the drive or power controller is in an exploitable configuration, ABB recommends immediately applying appropriate mitigation action.

ABB recommends couple of cybersecurity practices for software-related product installations. These include isolating special-purpose networks behind firewalls, restricting physical access to authorized personnel, and ensuring programming tools are only connected to relevant networks. It’s crucial to scan all imported data for malware, minimize network exposure for applications, and keep all software and firmware up to date. For remote access, secure methods like virtual private networks (VPNs) should be used, with awareness of their potential vulnerabilities and the need for regular updates.

In another advisory, CISA reported that B&R APROL hardware used in the global critical manufacturing sector contained Inclusion of Functionality from Untrusted Control Sphere, Incomplete Filtering of Special Elements, Improper Control of Generation of Code (‘Code Injection’), Improper Handling of Insufficient Permissions or Privileges, Allocation of Resources Without Limits or Throttling, Missing Authentication for Critical Function, Exposure of Sensitive System Information to an Unauthorized Control Sphere, Exposure of Data Element to Wrong Session, Server-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’), External Control of File Name or Path, Incorrect Permission Assignment for Critical Resource vulnerabilities.

“Successful exploitation of these vulnerabilities could allow an attacker to execute commands, elevate privileges, gather sensitive information, or alter the product,” the advisory added.

B&R reported that all versions of APROL prior to 4.4-01 contain CVE-2024-45483 and CVE-2024-10209); all versions of the hardware 4.4-00P1 and prior included CVE-2024-45482; and all versions of APROL 4.4-00P5 and prior contained CVE-2024-45481, CVE-2024-45480, CVE-2024-8315, CVE-2024-45484, CVE-2024-8313, CVE-2024-8314, CVE-2024-10206, CVE-2024-10207, CVE-2024-10208, and CVE-2024-10210.

B&R has identified specific workarounds and mitigations users can apply to reduce risk. It recommends that users apply the patch or upgrade to a non-vulnerable version at their earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. As some of the vulnerabilities affect the confidentiality of credentials, it is recommended to change all secrets/passwords after applying the update.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as minimizing network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet. It also aims to locate control system networks and remote devices behind firewalls and isolating them from business networks.

When remote access is required, use more secure methods, such as VPNs. Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

The post Hardware vulnerabilities in Hitachi Energy, ABB, B&R ICS devices pose critical infrastructure threat appeared first on Industrial Cyber.

‍

Source: https://industrialcyber.co/cisa/hardware-vulnerabilities-in-hitachi-energy-abb-br-ics-devices-pose-critical-infrastructure-threat/