PatchSiren cyber security CVE debrief
CVE-2023-0215 Hitachi Energy CVE debrief
CVE-2023-0215 is a use-after-free in OpenSSL's BIO_new_NDEF cleanup path that can leave stale pointers behind after a failure and cause a later BIO_pop() to dereference freed memory. In the supplied CISA/Hitachi Energy advisory, this upstream issue is mapped to Hitachi Energy PCU400 and PCULogger products, with the main operational effect described as a likely crash. The source indicates no confidentiality or integrity impact, but availability is high.
- Vendor
- Hitachi Energy
- Product
- PCU400
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-02-11
- Original CVE updated
- 2025-05-06
- Advisory published
- 2025-02-11
- Advisory updated
- 2025-05-06
Who should care
OT operators, control-system engineers, and patch coordinators responsible for Hitachi Energy PCU400 or PCULogger deployments, especially sites using IEC62351-3 secure IEC104/DNP3 communications.
Technical summary
The advisory describes an OpenSSL helper, BIO_new_NDEF, that prepends an ASN.1 filter BIO to a caller-supplied BIO chain. If error handling frees the new filter but does not fully clean up the chain, the caller may later invoke BIO_pop() against a BIO that still points to freed memory, creating a use-after-free. The supplied notes say this scenario occurs in internal OpenSSL streaming paths and can surface through PCU400/PCULogger-related software paths, with the likely result being a crash. The provided CVSS vector is 7.5/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Defensive priority
High for affected OT environments; prioritize version inventory, upgrade planning, and maintenance-window coordination on any system running the affected PCU400 or PCULogger releases.
Recommended defensive actions
- Update PCU400 to version 6.6.0 or later if IEC62351-3 secure IEC104/DNP3 is used.
- Update PCU400 to version 9.4.2 or later if IEC62351-3 secure IEC104/DNP3 is used.
- Update PCULogger to version 1.2.0 when available; the advisory says it is compatible with PCU400 9.4.2 and later.
- Confirm which affected products and versions are deployed before scheduling remediation.
- Follow CISA ICS recommended practices and vendor guidance during patching and maintenance planning.
Evidence notes
The supplied CSAF advisory (ICSA-25-065-01, published 2025-02-25) states that BIO_new_NDEF can leave stale internal pointers after a failure and that a subsequent BIO_pop() can trigger a use-after-free. The advisory notes map the issue to Hitachi Energy PCU400 and PCULogger product versions, list the affected releases and remediation paths, and describe the likely result as a crash. The provided CVSS data is 7.5 with AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The supplied enrichment also indicates this is not a KEV-listed issue in the provided data.
Official resources
-
CVE-2023-0215 CVE record
CVE.org
-
CVE-2023-0215 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Coordinated vendor/CISA disclosure via CSAF advisory ICSA-25-065-01, first published 2025-02-25.