PatchSiren cyber security CVE debrief

CVE-2024-1532 Hitachi Energy CVE debrief

CVE-2024-1532 is a vulnerability in Hitachi Energy RTU500 series CMU Firmware affecting the stb-language file handling mechanism. Published on April 25, 2024, this issue allows a malicious actor to enforce diagnostic texts being displayed as empty strings when an authorized user uploads a specially crafted stb-language file. The vulnerability carries a CVSS 3.1 score of 6.8 (MEDIUM severity) with the vector AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H, indicating network attack vector, low attack complexity, high privileges required, no user interaction, changed scope, and high availability impact. The vulnerability affects eight specific firmware version ranges across the 12.x and 13.x release branches. Hitachi Energy has released vendor fixes for versions 12.7.x and 13.2.x branches, while other affected versions currently rely on mitigation measures including network segmentation, physical access controls, and security best practices. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

Vendor: Hitachi Energy
Product: RTU500 series CMU Firmware
CVSS: MEDIUM 6.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-04-25
Original CVE updated: 2024-04-25
Advisory published: 2024-04-25
Advisory updated: 2024-04-25

Who should care

Organizations operating Hitachi Energy RTU500 series remote terminal units in industrial control system environments, particularly electric utilities, oil and gas facilities, and water/wastewater systems using affected CMU Firmware versions. Asset owners should prioritize patching for 12.7.x and 13.2.x deployments while implementing network segmentation and access controls for other affected versions. OT security teams and ICS-CERT coordinators should monitor for vendor patch availability for remaining affected firmware branches.

Technical summary

The vulnerability exists in the stb-language file handling component of RTU500 series CMU Firmware. An authenticated attacker with high privileges can craft a malicious stb-language file that, when uploaded by an authorized user, causes diagnostic texts to render as empty strings. This represents an availability impact on system diagnostics functionality. The attack requires network access but no user interaction beyond the initial authorized upload. Scope is changed (S:C) indicating the vulnerable component impacts resources beyond its security scope. Eight firmware version ranges are affected: 12.0.1-12.0.14, 12.2.1-12.2.11, 12.4.1-12.4.11, 12.6.1-12.6.9, 12.7.1-12.7.6, 13.2.1-13.2.6, 13.4.1-13.4.4, and 13.5.1-13.5.3. Vendor fixes are available for 12.7.x and 13.2.x branches; other versions require compensating controls until patches are released.

Defensive priority

medium

Recommended defensive actions

Apply vendor-provided firmware updates for affected RTU500 series CMU Firmware versions 12.7.x (update to 12.7.7) and 13.2.x (update to 13.2.7) as prioritized fixes
For firmware versions without available patches (12.0.1-12.0.14, 12.2.1-12.2.11, 12.4.1-12.4.11, 12.6.1-12.6.9, 13.4.1-13.4.4, 13.5.1-13.5.3), implement network segmentation to isolate process control systems from untr
Restrict physical access to RTU500 devices to authorized personnel only
Prevent direct internet connectivity for RTU500 process control systems
Deploy firewall systems with minimal exposed ports between process control networks and other network segments
Prohibit use of process control systems for internet browsing, instant messaging, or email
Scan all portable computers and removable storage media for malware before connection to control systems
Review Hitachi Energy security advisory for additional vendor-specific guidance

Evidence notes

CVE description and affected product versions derived from CISA CSAF advisory ICSA-24-116-01. CVSS score and vector from official CVE record. Remediation details extracted from vendor-provided mitigation and fix instructions in the CSAF document.

Official resources

2024-04-25