PatchSiren cyber security CVE debrief

CVE-2024-1531 Hitachi Energy CVE debrief

A vulnerability in the stb-language file handling of Hitachi Energy RTU500 series CMU Firmware allows a malicious actor to print random memory content in the system log when an authorized user uploads a specially crafted stb-language file. The vulnerability was published on April 25, 2024, with a CVSS 3.1 score of 8.2 (HIGH). The attack vector is network-based with low complexity, requiring high privileges but no user interaction. The scope is changed, with low impact on confidentiality and integrity, and high impact on availability. Eight product versions across firmware branches 12.0.x through 13.5.x are affected. Hitachi Energy has released firmware updates for versions 12.7.x and 13.2.x, while interim mitigations including network segmentation, physical access controls, and security best practices are recommended for other affected versions until patches become available.

Vendor: Hitachi Energy
Product: RTU500 series CMU Firmware
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-04-25
Original CVE updated: 2024-04-25
Advisory published: 2024-04-25
Advisory updated: 2024-04-25

Who should care

Organizations operating Hitachi Energy RTU500 series remote terminal units in industrial control system environments, including electric utilities, oil and gas facilities, water/wastewater systems, and other critical infrastructure sectors. Asset owners, OT security engineers, control system operators, and compliance teams responsible for IEC 62351, NERC CIP, or similar industrial cybersecurity standards should prioritize assessment and remediation.

Technical summary

The vulnerability exists in stb-language file handling within RTU500 series CMU Firmware. An authenticated attacker with high privileges can exploit this by crafting a malicious stb-language file that, when uploaded by an authorized user, causes random memory content to be printed to the RTU500 system log. This represents an information disclosure weakness with potential availability impact. The CVSS 3.1 score of 8.2 reflects network attackability, low complexity, and high availability impact despite requiring high privileges. Affected versions span multiple firmware branches: 12.0.1-12.0.14, 12.2.1-12.2.11, 12.4.1-12.4.11, 12.6.1-12.6.9, 12.7.1-12.7.6, 13.2.1-13.2.6, 13.4.1-13.4.4, and 13.5.1-13.5.3. Vendor fixes are available for the 12.7.x and 13.2.x branches; other versions require interim mitigations including network isolation, physical security, and operational security controls until patches are released.

Defensive priority

HIGH

Recommended defensive actions

Apply vendor firmware updates where available: update RTU500 series CMU Firmware 12.7.1-12.7.6 to version 12.7.7, and 13.2.1-13.2.6 to version 13.2.7
Implement network segmentation to isolate process control systems from other networks using firewalls with minimal exposed ports
Physically protect RTU500 systems from unauthorized direct access
Prevent direct Internet connections to process control systems
Restrict process control systems from Internet surfing, instant messaging, and email
Scan portable computers and removable storage media for malware before connecting to control systems
Review Hitachi Energy security advisory for additional guidance on versions without available patches
Apply CISA ICS recommended practices for defense-in-depth security architecture

Evidence notes

CVE published and modified 2024-04-25 per CISA CSAF advisory ICSA-24-116-01. CVSS 3.1 vector: AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:H. Eight affected product versions identified in CSAF product tree. Vendor fixes available for CSAFPID-0005 (12.7.x) and CSAFPID-0006 (13.2.x); mitigations provided for CSAFPID-0001 through CSAFPID-0004, CSAFPID-0007, and CSAFPID-0008.

Official resources

2024-04-25