PatchSiren cyber security CVE debrief
CVE-2023-0217 Hitachi Energy CVE debrief
CVE-2023-0217 is a denial-of-service issue tied to OpenSSL public-key checking behavior. In the supplied CISA CSAF advisory, Hitachi Energy maps the issue to PCU400 and PCULogger versions used with IEC62351-3 secure IEC104/DNP3 features. The practical risk is application crash if malformed DSA public keys from untrusted sources are processed.
- Vendor
- Hitachi Energy
- Product
- PCU400
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-02-25
- Original CVE updated
- 2025-02-25
- Advisory published
- 2025-02-25
- Advisory updated
- 2025-02-25
Who should care
Operators, integrators, and maintainers of Hitachi Energy PCU400 environments, especially systems using IEC62351-3 secure for IEC104/DNP3 and any PCULogger deployments at or below the affected versions.
Technical summary
The advisory describes an invalid pointer dereference on read when EVP_PKEY_public_check() is used to validate a malformed DSA public key. The most likely outcome is an application crash, which makes this a network-reachable denial-of-service concern when applications accept public keys from untrusted sources. The advisory notes that OpenSSL TLS does not call this function, but applications may call it for additional requirements such as FIPS 140-3.
Defensive priority
High. The CVSS 3.1 score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), and the likely impact is service disruption rather than data compromise.
Recommended defensive actions
- Update Hitachi Energy PCU400 to version 6.6.0 or later if IEC62351-3 secure for IEC104/DNP3 is used.
- Update Hitachi Energy PCU400 to version 9.4.2 or later if IEC62351-3 secure for IEC104/DNP3 is used.
- Plan to update PCULogger to version 1.2.0 when it becomes available; the advisory states it is compatible with PCU400 9.4.2 and later.
- Review whether your deployment accepts public keys from untrusted sources and whether EVP_PKEY_public_check() is used in any application-specific validation flow.
- Apply CISA-recommended industrial control system defense-in-depth practices to reduce the impact of an application crash or service interruption.
Evidence notes
The supplied CSAF advisory (ICSA-25-065-01) published by CISA on 2025-02-25 maps CVE-2023-0217 to Hitachi Energy PCU400 and PCULogger. The advisory description states that malformed DSA public keys can trigger an invalid pointer dereference on read during EVP_PKEY_public_check(), most likely causing an application crash. Remediations in the advisory specify PCU400 6.6.0+ or 9.4.2+ depending on the product line, and PCULogger 1.2.0 when available. No KEV listing is included in the supplied data.
Official resources
-
CVE-2023-0217 CVE record
CVE.org
-
CVE-2023-0217 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the supplied advisory record for ICSA-25-065-01 on 2025-02-25T13:30:00Z, and the record shows the same timestamp for modification. The supplied enrichment data does not list CVE-2023-0217 in CISA KEV.