On Thursday, October 05, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released an industrial control system advisory (ICSA-23-278-01) highlighting an astonishing 14 different vulnerabilities for Hitachi Energy and their AFS65x, AFF66x, AFS67x, AFR67x series switches and firewalls. Hitachi Energy reported these vulnerabilities to CISA through their independent testing. These devices, such as the industrial firewall, managed switches, and routers, interconnect all aspects of a company and its various devices. The primary concern is the vulnerability within the industrial firewall. Industrial Firewalls Establish Network or Zone Boundaries. The firewall inspects each packet it receives to determine whether it corresponds to a desired template for traffic patterns, then filters or forwards packets that match these templates. The vulnerabilities were found to be remotely exploitable and with a very low attack complexity. Vulnerabilities include Incorrect Calculation, Integer Overflow or Wraparound, Improper Encoding or Escaping of Output, and Exposure of Resource to Wrong Sphere.
Background
On Thursday, October 05, 2023, Hitachi Energy reported 14 vulnerabilities to CISA involving their networking equipment, including routers, switches, and firewall devices. Successful exploitation of these remotely exploitable vulnerabilities, which were self-reported by Hitachi Energy, might allow an attacker to divulge sensitive information or cause a Denial-of-Service (DoS). The problem affects the following Hitachi Energy AFS65x, AFS67x, AFR67x, and AFF66x series products:
AFF66X FW: 03.0.02 and prior
AFS66X-S: All versions
AFS660-C: All versions
AFS66X-B: All versions
AFS670-V20: All versions
AFS65X: All versions
AFS67X: All versions
AFR677: All versions
Vulnerabilities
There were 14 reported vulnerabilities for a multitude of devices. All were assigned a common vulnerabilities and exposures (CVE) number, ranging from CVE-2022-22822 to CVE-2021-46143. Many of them were integer overflow vulnerabilities. There were three I wanted to highlight:
To begin with, the Exposure of Resource to Wrong Sphere vulnerability, CVE-2022-25236, was assigned a CVSS v3 score of 9.8, ranking it as critical. It mentions vulnerable code in the xmlparse.c file, in Expat (aka libexpat) before version 2.4.5, allows attackers to insert namespace-separator characters into namespace URIs. Passing one or more namespace separator characters in the “xmlns[:prefix]” attribute values made Expat send malformed tag names to the XML processor on top of Expat. This issue causes arbitrary code execution depending on how unexpected cases are handled inside the XML processor.
The second critical vulnerability, with a CVSS v3 score of 9.8, was the Improper Encoding or Escaping of Output (CVE-2022-25235). This vulnerability also allows attackers to insert namespace-separator characters into namespace URIs. The product creates a structured message for communication with another component. However, data encoding or escaping is either absent or wrongly performed. As a result, the message’s intended structure is not retained. This issue could cause arbitrary code execution depending on how unexpected cases are handled inside the XML processor, similar to the previous exploit.
Lastly, CVE-2021-45960 was given a score of 8.8 using the CVSS v3 metric. This vulnerability is likewise found in Expat (aka libexpat) before 2.4.3. It notes that a left shift by 29 (or more) places in the storeAtts function of the xmlparse.c file can lead to reallocation misbehavior (e.g., allocating too few bytes or only freeing memory). It is a software bug that causes process disruption. When processing a large number of prefixed XML attributes on a single tag, libexpat may crash due to buffer overrun and pose a significant danger to availability.
Significance
Attackers can use Arbitrary code execution (ACE) to run instructions or code of choice on a target machine or in a target process. An arbitrary code execution vulnerability that is exploited can have devastating effects, especially on networking equipment such as the ones mentioned above. Some of the recommendations from Hitachi Energy include:
AFF66X FW 03.0.02 and earlier:
For all vulnerabilities, apply mitigation strategy as described in Hitachi Energy’s general mitigation factors below or update to upcoming AFF66X 04.x.xx FW when released
AFS66X-S, AFS660-C, AFS66X-B, AFS670-V20 devices:
For all vulnerabilities, apply mitigation strategy as described in Hitachi Energy’s general mitigation factors below or update to upcoming AFS66X, AFS670-V20 7.1.08 FW when released.
Disable HTTP/HTTPS server or restrict access to HTTP/HTTPS to trusted IP addresses.
Disable IEC61850-MMS server or restrict access to IEC61850-MMS to trusted IP addresses.
AFS65X, AFS67X, AFR677 devices:
For all vulnerabilities, apply mitigation strategy as described in Hitachi Energy’s general mitigation factors below or update to AFS65X, AFS67X, AFR677 09.1.08 FW.
Disable HTTP/HTTPS server or restrict access to HTTP/HTTPS to trusted IP addresses.
Disable IEC61850-MMS server.
Resources
gHale. (2023, October 5). Hitachi Energy Mitigation Plan for Managed Switches. ISSSource. https://www.isssource.com/hitachi-energy-mitigation-plan-for-managed-switches/
Hitachi Energy. (2023, September 26). Hitachi Energy Publisher. Publisher.hitachienergy.com. https://publisher.hitachienergy.com/preview?DocumentId=8DBD000165&DocumentRevisionId=B&languageCode=en&Preview=true
Hitachi Energy AFS65x, AFF66x, AFS67x, and AFR67x Series Products | CISA. (2023, October 5). Www.cisa.gov. https://www.cisa.gov/news-events/ics-advisories/icsa-23-278-01
NIST. (2022a, January 1). NVD – CVE-2021-45960. Nvd.nist.gov. https://nvd.nist.gov/vuln/detail/CVE-2021-45960
NIST. (2022b, February 15). NVD – CVE-2022-25235. Nvd.nist.gov. https://nvd.nist.gov/vuln/detail/CVE-2022-25235
NIST. (2022c, February 15). NVD – CVE-2022-25236. Nvd.nist.gov. https://nvd.nist.gov/vuln/detail/CVE-2022-25236