www.cisa.gov
Open in
urlscan Pro
2a02:26f0:7100:8b3::447a
Public Scan
URL:
https://www.cisa.gov/news-events/ics-advisories/icsa-23-255-01
Submission: On September 13 via api from TR — Scanned from DE
Submission: On September 13 via api from TR — Scanned from DE
Form analysis 2 forms found in the DOM
<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id1" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form><form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id2">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id51" class="gstl_51 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti51" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id2" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st51" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb51" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>Text Content
Skip to main content
An official website of the United States government
Here’s how you know
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United
States.
Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the
.gov website. Share sensitive information only on official, secure websites.
Cybersecurity & Infrastructure Security Agency
America's Cyber Defense Agency
Search
×
search
Menu
Close
×
search
* Topics
Topics
Cybersecurity Best Practices
Cyber Threats and Advisories
Critical Infrastructure Security and Resilience
Election Security
Emergency Communications
Industrial Control Systems
Information and Communications Technology Supply Chain Security
Partnerships and Collaboration
Physical Security
Risk Management
How can we help?
GovernmentEducational InstitutionsIndustryState, Local, Tribal, and
TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help
LocallyFaith-Based Community
* Spotlight
* Resources & Tools
Resources & Tools
All Resources & Tools
Services
Programs
Resources
Training
Groups
* News & Events
News & Events
News
Events
Cybersecurity Alerts & Advisories
Directives
Request a CISA Speaker
Congressional Testimony
* Careers
Careers
Benefits & Perks
HireVue Applicant Reasonable Accommodations Process
Hiring
Resume & Application Tips
Students & Recent Graduates
Veteran and Military Spouses
Work @ CISA
* About
About
Culture
Divisions & Offices
Regions
Leadership
Doing Business with CISA
Site Links
Reporting Employee and Contractor Misconduct
CISA GitHub
Contact Us
Report a Cyber Issue
America's Cyber Defense Agency
Breadcrumb
1. Home
2. News & Events
3. Cybersecurity Advisories
4. ICS Advisory
Share:
ICS Advisory
HITACHI ENERGY LUMADA APM EDGE
Release Date
September 12, 2023
Alert Code
ICSA-23-255-01
VIEW CSAF(LINK IS EXTERNAL)
1. EXECUTIVE SUMMARY
* CVSS v3 7.5
* ATTENTION: Exploitable remotely/low attack complexity
* Vendor: Hitachi Energy
* Equipment: Lumada Asset Performance Management (APM) Edge
* Vulnerabilities: Use After Free, Double Free, Type Confusion, Observable
Discrepancy
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to
cause a denial-of-service condition or disclosure of sensitive information.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Hitachi products are affected:
* Lumada APM Edge: Versions 4.0 and prior
* Lumada APM Edge: Version 6.3
3.2 VULNERABILITY OVERVIEW
3.2.1 USE AFTER FREE CWE-416(link is external)
The public API function BIO_new_NDEF is a helper function used for streaming
ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the
SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by
end user applications. The function receives a BIO from the caller, prepends a
new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then
returns the new head of the BIO chain to the caller. Under certain conditions,
for example if a CMS recipient public key is invalid, the new filter BIO is
freed and the function returns a NULL result indicating a failure. However, in
this case, the BIO chain is not properly cleaned up and the BIO passed by the
caller still retains internal pointers to the previously freed filter BIO. If
the caller then goes on to call BIO_pop() on the BIO then a use-after-free will
occur. This will most likely result in a crash.
CVE-2023-0215 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is
(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (link is external)).
3.2.2 DOUBLE FREE CWE-415(link is external)
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data.
If the function succeeds then the "name_out", "header" and "data" arguments are
populated with pointers to buffers containing the relevant decoded data. The
caller is responsible for freeing those buffers. It is possible to construct a
PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()
will return a failure code but will populate the header argument with a pointer
to a buffer that has already been
freed. If the caller also frees this buffer then a double free will occur. This
will most likely lead to a crash. This could be exploited by an attacker who has
the ability to supply malicious PEM files for parsing to achieve a
denial-of-service attack.
CVE-2022-4450 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is
(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H(link is external)).
3.2.3 ACCESS OF RESOURCE USING INCOMPATIBLE TYPE ('TYPE CONFUSION') CWE-843(link
is external)
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but
the public structure definition for GENERAL_NAME incorrectly specified the type
of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by
the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an
ASN1_STRING. When CRL checking is enabled (i.e. the application sets the
X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass
arbitrary pointers to a memcmp call, enabling them to read memory contents or
enact a denial-of-service.
CVE-2023-0286 has been assigned to this vulnerability. A CVSS v3 base score of
7.4 has been calculated; the CVSS vector string is
(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H(link is external)).
3.2.4 OBSERVABLE DISCREPANCY CWE-203(link is external)
A timing based side channel exists in the OpenSSL RSA Decryption implementation
which could be sufficient to recover a plaintext across a network in a
Bleichenbacher style attack. To achieve a successful decryption an attacker
would have to be able to send a very large number of trial messages for
decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,
RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a
client to send an encrypted pre-master secret to the server. An attacker that
had observed a genuine connection between a client and a server could use this
flaw to send trial messages to the server and record the time taken to process
them. After a sufficiently large number of messages the attacker could recover
the pre-master secret used for the original connection and thus be able to
decrypt the application data sent over that connection.
CVE-2022-4304 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been calculated; the CVSS vector string is
(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N(link is external)).
3.3 BACKGROUND
* CRITICAL INFRASTRUCTURE SECTORS: Energy
* COUNTRIES/AREAS DEPLOYED: Worldwide
* COMPANY HEADQUARTERS LOCATION: Switzerland
3.4 RESEARCHER
Hitachi Energy reported this vulnerability to CISA.
4. MITIGATIONS
Hitachi Energy has fixed the vulnerabilities for Lumada APM in version 6.5.0.2
and later and recommends users update their systems to the appropriate version.
Lumada APM Edge versions 4.0 and prior are no longer supported and are
considered End-of-Life.
Hitachi Energy reported that Lumada APM Edge relies on the HAProxy service (a
pre-requisite component) as an API gateway, so it must be exposed to the
end-users via network. For Lumada APM Edge to be accessible to the end-users, it
is crucial for this service, which also utilizes OpenSSL libraries, to be
updated along with its underlying operating system.
Recommended security practices and firewall configurations can help protect a
process control network from attacks that originate from outside the network.
Such practices include that process control systems are physically protected
from direct access by unauthorized personnel, have no direct connections to the
Internet, and are separated from other networks by means of a firewall system
that has a minimal number of ports exposed, have security updates applied to
installed software components and others that must be evaluated case by case.
Process control systems should not be used for Internet surfing, instant
messaging, or receiving e-mails. Portable computers and removable storage media
should be carefully scanned for viruses before they are connected to a control
system.
For more information, see Hitachi Energy advisory 8DBD000169(link is external).
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability these vulnerabilities. Specifically, users
should:
* When remote access is required, use more secure methods, such as Virtual
Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should
be updated to the most current version available. Also recognize VPN is only
as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment
prior to deploying defensive measures.
CISA also provides a section for control systems security recommended
practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing
cyber defense best practices are available for reading and download,
including Improving Industrial Control Systems Cybersecurity with
Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies
for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage at cisa.gov/ics in the technical information
paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies.
Organizations observing suspected malicious activity should follow established
internal procedures and report findings to CISA for tracking and correlation
against other incidents.
No known public exploitation specifically targeting these vulnerabilities has
been reported to CISA at this time.
5. UPDATE HISTORY
* September 12, 2023: Initial Publication
This product is provided subject to this Notification and this Privacy &
Use policy.
VENDOR
Hitachi Energy
PLEASE SHARE YOUR THOUGHTS
We recently updated our anonymous product survey; we’d welcome your feedback.
RELATED ADVISORIES
Sep 12, 2023
ICS Advisory | ICSA-23-255-02
FUJITSU SOFTWARE INFRASTRUCTURE MANAGER
Sep 07, 2023
ICS Advisory | ICSA-23-250-02
PHOENIX CONTACT TC ROUTER AND TC CLOUD CLIENT
Sep 07, 2023
ICS Advisory | ICSA-23-250-03
SOCOMEC MOD3GP-SY-120K
Sep 07, 2023
ICS Advisory | ICSA-23-250-01
DOVER FUELING SOLUTIONS MAGLINK LX CONSOLE
Return to top
* Topics
* Spotlight
* Resources & Tools
* News & Events
* Careers
* About
Cybersecurity & Infrastructure Security Agency
* Facebook
* Twitter
* LinkedIn
* YouTube
* Instagram
* RSS
CISA Central 888-282-0870 Central@cisa.dhs.gov(link sends email)
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
* About CISA
* Accessibility
* Budget and Performance
* DHS.gov
* FOIA Requests
* No FEAR Act
* Office of Inspector General
* Privacy Policy
* Subscribe
* The White House
* USA.gov
* Website Feedback