CVE-2023-0216 Hitachi Energy CVE debrief

Who should care

Operators and maintainers of Hitachi Energy PCU400 and PCULogger, especially environments using IEC62351-3 secure IEC104/DNP3 functionality. Security teams responsible for OT asset inventories, patch management, and application hardening should prioritize review.

Technical summary

The issue is described as an invalid pointer dereference on read triggered by malformed PKCS7 data passed to d2i_PKCS7(), d2i_PKCS7_bio(), or d2i_PKCS7_fp(). The result is an application crash, creating a denial-of-service condition. The advisory notes that OpenSSL’s TLS implementation does not call these functions, but third-party applications may invoke them on untrusted data.

Defensive priority

High for exposed or operationally important OT deployments, because the flaw can cause an application crash and the affected products support industrial communication use cases. Prioritize systems that use the impacted versions and secure IEC104/DNP3 features.

Recommended defensive actions

• Update PCU400 to version 6.6.0 or later when IEC62351-3 secure for IEC104/DNP3 is used.
• Update PCU400 to version 9.4.2 or later when IEC62351-3 secure for IEC104/DNP3 is used.
• If PCULogger is used, plan to update to version 1.2.0 or later when available; it is noted as compatible with PCU400 9.4.2 and later.
• Inventory OT systems for any third-party software that may call OpenSSL PKCS7 parsing functions on untrusted input.
• Reduce exposure to untrusted inputs and follow CISA industrial control system defensive guidance for segmentation, least privilege, and defense in depth.

Evidence notes

The source CSAF advisory identifies Hitachi Energy PCU400 and PCULogger as affected products and describes the crash condition from malformed PKCS7 data. It also lists the vendor remediation guidance and links to the vendor advisory and CISA advisory. CVSS is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), supporting a high availability-focused priority.

Official resources