Hitachi Energy TRO600

Risk Summary

Command injection vulnerability in the Edge Computing UI for the TRO600 series radios that allows for the execution of arbitrary system commands. If exploited, an attacker with write access to the web UI can execute commands on the device with root privileges, far more extensive than what the write privilege intends. Profile files from TRO600 series radios are extracted in plain-text and encrypted file formats. Profile files provide potential attackers valuable configuration information about the Tropos network. Profiles can only be exported by authenticated users with write access.

CVEs (2)

Remediations

• Hitachi Energy has identified the following specific workarounds and mitigations users can apply to reduce risk:
• (CVE-2024-41153) Hitachi Energy TRO600 series firmware versions from 9.1.0.0 to 9.2.0.0 (Edge computing functionality): Update to version 9.2.0.5
• Hitachi Energy has provided the additional following security practices and firewall configurations can help protect a process control network from attacks that originate from outside the network:
• Physically protect process control systems from direct access by unauthorized personnel.
• Do not connect directly to the Internet.
• Separate from other networks by means of a firewall system that has a minimal number of ports exposed.
• Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails.
• Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.
• For more details, refer to the "Configuration Guide" document for the respective TRO600 series router version.
• For more information, see Hitachi Energy's security advisory 8DBD000147
• (CVE-2024-41156) Hitachi Energy TRO600 series firmware versions from 9.0.1.0 to 9.2.0.0 (Configuration utility): Update to version 9.2.0.5

Affected Vendors

Affected Products (2)

Affected Sectors

Energy