Full Report
Last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released five ICS (industrial control systems) advisories providing... The post Hardware vulnerabilities in Hitachi Energy, ABB, B&R ICS devices pose critical infrastructure threat appeared first on Industrial Cyber.
Analysis Summary
# Vulnerability: Multiple Vulnerabilities Disclosed in Hitachi Energy RTU500, TRMTracker, and B&R APROL ICS Products
## CVE Details
- CVE ID: CVE-2024-10037, CVE-2024-11499, CVE-2024-12169, CVE-2025-1445, and several others affecting B&R APROL and Hitachi TRMTracker.
- CVSS Score: Varies. Ranges from 4.9 (CVSS v3) / 5.9 (CVSS v4) for DoS up to 7.5 (CVSS v3) / 8.7 (CVSS v4) for connectivity-related issues.
- CWE: Null Pointer Dereference, Insufficient Resource Pool, Missing Synchronization, LDAP Injection, XSS, SSRF, etc.
## Affected Systems
- **Products:** Hitachi Energy RTU500 series CMU, Hitachi Energy TRMTracker, B&R APROL hardware and software components.
- **Versions:**
- **RTU500 Series CMU:**
- Versions 12.0.1 – 12.0.14, 12.2.1 – 12.2.12, 12.4.1 – 12.4.11, 12.6.1 – 12.6.10, 12.7.1 – 12.7.7 (General fix path)
- Versions 13.2.1 – 13.2.7, 13.4.1 – 13.4.4, 13.5.1 – 13.5.3, 13.6.1 (Specific fixes)
- Versions 13.7.1 – 13.7.4 (Specific fixes)
- **TRMTracker:** Versions 6.2.04 and prior, Versions 6.3.0 and 6.3.01.
- **APROL:** All versions prior to 4.4-01 (for CVE-2024-45483, CVE-2024-10209); 4.4-00P1 and prior (for CVE-2024-45482); 4.4-00P5 and prior (for several CVEs including CVE-2024-45481, CVE-2024-45480, etc.).
- **Configurations:** Specific configuration requirements mentioned for RTU500 issues include requiring proper authentication, the RTU500 test mode function being enabled, or secure communication (TLS/IEC 62351-3) being enabled.
## Vulnerability Description
CISA disclosed multiple vulnerabilities across several ICS products:
1. **RTU500 (CVE-2024-10037):** A null pointer dereference/insufficient resource pool/missing synchronization flaw in the web server component allows an authenticated attacker sending a specially crafted message sequence over a WebSocket connection to cause a Denial of Service (DoS) to the CMU application.
2. **RTU500 (CVE-2024-11499):** An authenticated/authorized attacker can trigger a CMU restart by updating certificates while they are in use on active IEC 60870-4-104 controlled station connections.
3. **RTU500 (CVE-2024-12169):** An attacker performing a specific sequence on the IEC 60870-5-104 controlled station or IEC 61850 functionality (when TLS/IEC 62351-3 is enabled) can restart the CMU.
4. **RTU500 (CVE-2025-1445):** Specific timing situations during TLS renegotiation of an active IEC61850 client/server connection can impact CMU availability (DoS).
5. **TRMTracker:** Contains vulnerabilities including LDAP Injection, general Injection flaws, and Cross-Site Scripting (XSS), potentially allowing remote command execution, web-cache poisoning, and sensitive information disclosure/modification.
6. **APROL:** Contains numerous flaws (including Privilege Escalation, SSRF, XSS, Command Execution) across various component versions.
## Exploitation
- **Status:** PoC availability is not explicitly detailed for all CVEs, but general exploitation for DoS and information disclosure is implied by the vulnerability types (XSS, Injection, DoS).
- **Complexity:** Varies. CVE-2024-10037 requires authentication. CVE-2024-12169 requires TLS to be enabled and specific attack sequencing.
- **Attack Vector:** Primarily Network, requiring authentication for several RTU500 flaws.
## Impact
- **Confidentiality:** Affected (TRMTracker allows disclosure of sensitive information; APROL allows gathering sensitive info).
- **Integrity:** Affected (TRMTracker allows modification of information; APROL allows altering the product).
- **Availability:** Affected (Multiple RTU500 CVEs explicitly mention Denial of Service or CMU restart).
## Remediation
### Patches
- **RTU500 Series CMU:**
- Update to version **12.7.8** when available (for versions 12.x).
- Update to version **13.7.1** (for specific 13.2.x, 13.4.x, 13.5.x, 13.6.1 releases addressing CVE-2024-11499, CVE-2025-1445).
- Update to version **13.5.4** when available (for 13.5.1-13.5.3).
- Update to version **13.6.2** when available (for 13.6.1).
- Update to version **13.7.6** when available (for specific paths addressing CVE-2024-12169 and others).
- **TRMTracker:**
- Update to **v6.2.04.014** or **v6.3.02** (for versions 6.2.04 and prior).
- Update to **v6.3.02** (for versions 6.3.0 and 6.3.01).
- **APROL:** Upgrade to non-vulnerable versions (e.g., 4.4-01, 4.4-00P2, 4.4-00P6, or newer, depending on the specific CVE).
- **General:** Change all secrets/passwords after applying updates due to credential confidentiality risks in some APROL vulnerabilities.
### Workarounds
- Apply general mitigation factors/workarounds recommended by Hitachi Energy for all affected versions (Apply these until patches are available).
- Securely place control system networks/devices behind firewalls and isolate them from business networks.
- Avoid direct Internet connections to control system devices.
- Use secure methods like VPNs for remote access, ensuring VPNs are also updated.
- For RTU500, physically secure systems from unauthorized access.
## Detection
- **Indicators of Compromise:** Look for unexpected CMU restarts or DoS conditions tied to WebSocket activity or certificate updates on RTU500 devices. Look for unusual outbound network traffic (SSRF) or web console errors (XSS) on TRMTracker.
- **Detection Methods and Tools:** Monitor network traffic for specially crafted WebSocket messages directed at the RTU500 web server. Regularly audit firewall configurations to ensure ICS networks are isolated and not directly exposed to the internet.
## References
- Vendor advisory for Hitachi Energy RTU500 (CISA ICSA-25-093-01) (Defanged URL unavailable)
- Vendor advisory for Hitachi Energy TRMTracker (CISA ICSA-25-093-02) (Defanged URL unavailable)
- Vendor advisories for B&R APROL (Defanged URL unavailable)