ICSA-23-278-01 · Published 2023-10-05 · View on CISA ICS-CERT ↗

Hitachi Energy AFS65x,AFF66x, AFS67x, and AFR67x Series Products

CVSS 9.8 CRITICAL

Risk Summary

Successful exploitation of these vulnerabilities by an attacker could have a high impact on availability, integrity, and confidentiality of the targeted devices.

CVEs (14)

CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-25314 CVE-2022-25315 CVE-2022-25235 CVE-2022-25236 CVE-2022-23852 CVE-2022-23990

Remediations

Hitachi energy recommends the following actions:
AFF66X FW 03.0.02 and earlier: For all vulnerabilities, apply mitigation strategy as described in Hitachi Energy's general mitigation factors below or update to upcoming AFF66X 04.x.xx FW when released.
AFS66X-S, AFS660-C, AFS66X-B, AFS670-V20 devices: For all vulnerabilities, apply mitigation strategy as described in Hitachi Energy's general mitigation factors below or update to upcoming AFS66X, AFS670-V20 7.1.08 FW when released. Disable HTTP/HTTPS server or restrict access to HTTP/HTTPS to trusted IP addresses. Disable IEC61850-MMS server or restrict access to IEC61850-MMS to trusted IP addresses.
AFS65X, AFS67X, AFR677 devices: For all vulnerabilities, apply mitigation strategy as described in Hitachi Energy's general mitigation factors below or update to AFS65X, AFS67X, AFR677 09.1.08 FW. Disable HTTP/HTTPS server or restrict access to HTTP/HTTPS to trusted IP addresses. Disable IEC61850-MMS server.
Hitachi Energy's general mitigation factors:Security practices and firewall configurations can help protect a process control network from attacks that originate from outside the network. Such practices include that process control systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed, and others that have to be evaluated case by case. Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.
For more information, please visit Hitachi Energy's Advisory.

Affected Vendors

Hitachi Energy

Affected Products (8)

Hitachi Energy · AFF66X FW <= 03.0.02

Hitachi Energy · AFS66X-S vers:all/*

Hitachi Energy · AFS660-C vers:all/*

Hitachi Energy · AFS66X-B vers:all/*

Hitachi Energy · AFS670-V20 vers:all/*

Hitachi Energy · AFS65X vers:all/*

Hitachi Energy · AFS67X vers:all/*

Hitachi Energy · AFR677 vers:all/*

Affected Sectors

Energy

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more