PatchSiren cyber security CVE debrief
CVE-2023-0401 Hitachi Energy CVE debrief
CVE-2023-0401 is a high-severity denial-of-service issue in the OpenSSL signature-verification path used by Hitachi Energy PCU400-related products. When PKCS7 signed or signedAndEnveloped data is verified and the requested hash algorithm is known to OpenSSL but its implementation is unavailable, digest initialization can fail and a missing return-value check can lead to NULL pointer dereference and a likely crash. The source notes this can occur with FIPS-enabled provider configurations or when the legacy provider is not loaded. OpenSSL TLS handling is not described as affected; the risk is tied to applications that call the PKCS7/SMIME/TS verification functions on untrusted data.
- Vendor
- Hitachi Energy
- Product
- PCU400
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-02-25
- Original CVE updated
- 2025-02-25
- Advisory published
- 2025-02-25
- Advisory updated
- 2025-02-25
Who should care
Operators and integrators using Hitachi Energy PCU400 or PCULogger, especially environments that rely on IEC62351-3 secure communication for IEC104/DNP3. Security teams should also care if any third-party application in the environment uses OpenSSL PKCS7, SMIME, or timestamp verification on untrusted data.
Technical summary
The flaw is a NULL pointer dereference caused by an omitted check after digest initialization fails during PKCS7 signature verification. The failure path can be triggered when OpenSSL recognizes a hash algorithm but cannot load its implementation. In the vendor advisory, affected products are PCU400 versions 6.5 K and below, PCU400 versions 9.4.1 and below, and PCULogger versions 1.1.0 and below. The expected impact is a crash, consistent with the published CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Defensive priority
High. This is a remotely reachable availability issue with no privileges or user interaction required in the published CVSS vector, and the vendor provides specific upgrade guidance for affected product lines.
Recommended defensive actions
- Inventory deployments of PCU400 and PCULogger and confirm whether the affected version ranges are present.
- If IEC62351-3 secure for IEC104/DNP3 is used, update PCU400 versions 6.5 K and below to 6.6.0 or later.
- If IEC62351-3 secure for IEC104/DNP3 is used, update PCU400 versions 9.4.1 and below to 9.4.2 or later.
- If PCULogger is used, plan for version 1.2.0 when available; the advisory says it is compatible with PCU400 9.4.2 and later.
- Review any applications that verify PKCS7, SMIME, or timestamp signatures on untrusted data and confirm their OpenSSL provider configuration is supported.
- Monitor affected systems for unexpected crashes or service interruptions in signature-verification workflows.
Evidence notes
Source evidence comes from the CISA CSAF advisory published 2025-02-25 for Hitachi Energy PCU400 (ICSA-25-065-01), which lists the affected versions and remediation steps. The advisory text explicitly describes a NULL pointer dereference during PKCS7 signature verification when digest initialization fails, and it notes that TLS is not the affected path. The supplied data also includes official references to the vendor preview, the CISA advisory page, and NVD. No KEV listing is present in the supplied enrichment.
Official resources
-
CVE-2023-0401 CVE record
CVE.org
-
CVE-2023-0401 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the CISA CSAF advisory on 2025-02-25 (ICSA-25-065-01).