2 Advisories and 1 Update Published – 3-6-25
Today CISA’s NCCIC-ICS published two control system security advisories for products from Hitachi Energy. They also updated an advisory for products from Schneider Electric. I also take a down-the-rabbit-hole search to find a duplicate Hitachi advisory.
Hitachi Energy #1
This advisory describes an improper handling of insufficient privilege vulnerability in the Hitachi Energy Relion 670/650/SAM600-IO products. The vulnerability was self-reported. The Hitachi advisory notes that the vulnerability was reported by Robert Erbes of DOE CyTRICS. Hitachi Energy has new versions that mitigate the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow anyone with user credentials to bypass the security controls enforced by the product.
NOTE: I briefly discussed this vulnerability on November 6th, 2021 and again most recently on March 2nd, 2025.
Hitachi Energy #2
This advisory discusses eight vulnerabilities in the Hitachi Energy PCU400 and PCULogger products. These are third-party vulnerabilities (OpenSSL) that were reported by a researcher from Dragos. Hitachi Energy has new versions that mitigate the vulnerabilities.
The eight reported vulnerabilities are:
Type confusion - CVE-2023-0286,
NULL pointer dereference (3) - CVE-2023-0217, CVE-2023-0216, and CVE-2023-0401,
Use after free - CVE-2023-0215,
Double free - CVE-2022-4450,
Observable discrepancy - CVE-2022-4304, and
Out-of-bounds read - CVE-2022-4203
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to access or decrypt sensitive data, crash the device application, or cause a denial-of-service condition.
Schneider Update
This update provides additional information on the EcoStruxure advisory that was originally published on February 6th, 2025. The new information includes:
Adding fix for EcoStruxure Process Expert, and
Adding EcoStruxure Process Expert for AVEVA System Platform to the list of affected products.
NOTE 1: Today’s CISA announcement of these advisories provides an incorrect link for this advisory. It links to ICSA-25-037-01 (also a Schneider advisory from the same date) that has not yet been updated.
NOTE 2: I briefly discussed this updated information on February 11th, 2025.
DTRH – Duplicate Hitachi Advisories
In November, 2021, when Hitachi published their Relion 670/650/SAM600-IO products advisory upon which today’s CISA advisory is based, they published two other advisories for other products affected by the same vulnerability:
Insufficient Security Control Vulnerability in Hitachi Energy PWC600 Product CVE-2021-35534, and
Insufficient Security Control Vulnerability in Hitachi Energy GMS600 Product CVE-2021-35534
All three advisories are listed in the NVD.NIST.gov record for CVE-2021-35534:
Relion 670 - https://search.abb.com/library/Download.aspx?DocumentID=8DBD000058&LanguageCode=en&DocumentPartId=&Action=Launch,
GMS600 - https://search.abb.com/library/Download.aspx?DocumentID=8DBD000059&LanguageCode=en&DocumentPartId=&Action=Launch, and
Unfortunately, none of those links work as they lead to the ABB.com servers which no longer service the Hitachi Energy product information. The GMS600 advisory can be found here. The PWC600 advisory can be found here. The Relion 670 advisory can be found here.
So, trying to find out if CISA had covered the other two Hitachi Energy advisories, I went to CISA’s “Cybersecurity Alerts & Advisories” page and typed “CVE-2021-35534” into the ‘What are you looking for?’ box. CISA found two different advisories covering that CVE: ICSA-25-065-02 (today’s advisory) and ICSA-21-343-01 (update A). I reported on the second advisory on December 9th, 2021.
Interestingly, the earlier advisory does not provide and affected version information for the PWC 600 products. Oh, and there are no fixed versions for either the PWC 600 nor the GMS 600 products.
Today’s advisory does provide fixed versions for more of the Relion products than were previously announced. So, today’s advisory should really have been published as an UPDATE B for the 2021 advisory.