Hitachi Energy's RTU500 Series Product (UPDATE B)

Risk Summary

Successful exploitation of these vulnerabilities could allow an attacker to crash the device being accessed or cause a denial-of-service condition.

CVEs (6)

Remediations

• RTU500 series CMU Firmware version 12.0.1 - 12.0.14: Update to CMU Firmware version 12.0.15* (Planned Update)
• RTU500 series CMU Firmware version 12.2.1 - 12.2.11: Update to CMU Firmware version 12.2.12* (Planned Update)
• RTU500 series CMU Firmware version 12.4.1 - 12.4.11: Update to CMU Firmware version 12.4.12* (Planned Update)
• RTU500 series CMU Firmware version 12.6.1 - 12.6.8: Update to CMU Firmware version 12.6.9
• RTU500 series CMU Firmware version 12.7.1 - 12.7.5: Update to CMU Firmware version 12.7.6
• RTU500 series CMU Firmware version 13.2.1 - 13.2.5: Update to CMU Firmware version 13.2.6
• RTU500 series CMU Firmware version 13.3.1 - 13.3.3: Update to CMU Firmware version 13.3.4* (Planned Update)
• RTU500 series CMU Firmware version 13.4.1: Update to CMU Firmware version 13.4.2
• Until the updates are made available, Hitachi Energy recommends the following general mitigation factors/workarounds for the products with RTU500 series CMU Firmware versions 12.0.1 � 12.0.15, 12.2.1 � 12.2.12, 12.4.1 � 12.4.12, 12.6.1 � 12.6.9, 12.7.1 � 12.7.6, 13.2.1 � 13.2.6, 13.3.1 � 13.3.3, 13.4.2 to address the vulnerabilities CVE-2023-0286 and CVE-2022-4304:
• Recommended security practices and firewall configurations can help protect a process control network from attacks originating from outside the network including.
• Physically protect process control systems from direct access by unauthorized personnel.
• Do not allow process control systems direct connections to the internet.
• Separate process control systems from other networks by means of a firewall system that has a minimal number of ports exposed.
• Process control systems should not be used for internet surfing, instant messaging, or receiving emails.
• Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.
• For more information, see Hitachi Energy's Security Advisories:
• 8DBD000150
• 8DBD000153
• Until the updates are made available, Hitachi Energy recommends the following general mitigation factors/workarounds for the products with RTU500 series CMU Firmware versions 12.0.1 - 12.0.15, 12.2.1 - 12.2.12, 12.4.1 - 12.4.12, 12.6.1 - 12.6.9, 12.7.1 - 12.7.6, 13.2.1 - 13.2.6, 13.3.1 - 13.3.3, 13.4.2 to address the vulnerabilities CVE-2023-0286 and CVE-2022-4304:
• Hitachi Energy has released the following mitigations/fixes for CVE-2022-23937, CVE-2022-0778, CVE-2021-3711, and CVE-2021-3712:
• RTU500 series CMU Firmware version 12.0.1 � 12.0.14: Update to CMU Firmware version 12.0.15* (Planned Update)
• RTU500 series CMU Firmware version 12.2.1 � 12.2.11: Update to CMU Firmware version 12.2.12* (Planned Update)
• RTU500 series CMU Firmware version 12.4.1 � 12.4.11: Update to CMU Firmware version 12.4.12* (Planned Update)
• RTU500 series CMU Firmware version 12.6.1 � 12.6.8: Update to CMU Firmware version 12.6.9
• RTU500 series CMU Firmware version 12.7.1 � 12.7.5: Update to CMU Firmware version 12.7.6
• RTU500 series CMU Firmware version 13.2.1 � 13.2.5: Update to CMU Firmware version 13.2.6
• RTU500 series CMU Firmware version 13.3.1 � 13.3.3: Update to CMU Firmware version 13.3.4* (Planned Update)

Affected Vendors

Affected Products (8)

Affected Sectors

Energy