1. EXECUTIVE SUMMARY
- CVSS v3 9.9
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Hitachi Energy
- Equipment: MicroSCADA Pro/X SYS600
- Vulnerabilities: Improper Neutralization of Special Elements in Data Query Logic, Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Authentication Bypass by Capture-replay, Missing Authentication for Critical Function, URL Redirection to Untrusted Site (‘Open Redirect’)
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to inject code towards persistent data, manipulate the file system, hijack a session, or engage in phishing attempts against users.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Hitachi Energy products are affected:
- Hitachi Energy MicroSCADA Pro/X SYS600: Version 10.0 to Version 10.5 (CVE-2024-4872, CVE-2024-3980, CVE-2024-3982, CVE-2024-7941)
- Hitachi Energy MicroSCADA Pro/X SYS600: Version 10.2 to Version 10.5 (CVE-2024-7940)
- Hitachi Energy MicroSCADA Pro/X SYS600: Version 10.5 (CVE-2024-7941)
- Hitachi Energy MicroSCADA Pro/X SYS600: Version 9.4 FP1 (CVE-2024-3980)
- Hitachi Energy MicroSCADA Pro/X SYS600: Version 9.4 FP2 HF1 to Version 9.4 FP2 HF5 (CVE-2024-4872, CVE-2024-3980)
3.2 Vulnerability Overview
3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN DATA QUERY LOGIC CWE-943
A vulnerability exists in the query validation of the MicroSCADA Pro/X SYS600 product. If exploited this could allow an authenticated attacker to inject code towards persistent data. Note that to successfully exploit this vulnerability an attacker must have a valid credential.
CVE-2024-4872 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
3.2.2 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22
The MicroSCADA Pro/X SYS600 product allows an authenticated user input to control or influence paths or file names that are used in filesystem operations. If exploited the vulnerability allows the attacker to access or modify system files or other files that are critical to the application.
CVE-2024-3980 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
3.2.3 AUTHENTICATION BYPASS BY CAPTURE-REPLAY CWE-294
An attacker with local access to a machine where MicroSCADA X SYS600 is installed could enable session logging and try to exploit a session hijacking of an already established session. By default, the session logging level is not enabled and only users with administrator rights can enable it.
CVE-2024-3982 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
3.2.4 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306
The product exposes a service that is intended for local only to all network interfaces without any authentication.
CVE-2024-7940 has been assigned to this vulnerability. A CVSS v3 base score of 8.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
3.2.5 URL REDIRECTION TO UNTRUSTED SITE (‘OPEN REDIRECT’) CWE-601
A HTTP parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.
CVE-2024-7941 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N).
3.3 PRODUCT IMPACT
Product-specific impact for an affected product vulnerable to the CVE:
- CVE-2024-4872
- CVE-2024-3980
3.4 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Switzerland
3.5 RESEARCHER
Hitachi Energy PSIRT reported these vulnerabilities to CISA.
4. MITIGATIONS
Hitachi Energy has identified the following specific workarounds and mitigations users can apply to reduce risk:
- Hitachi Energy MicroSCADA X SYS600: Update to Version 10.6
- (CVE-2024-4872, CVE-2024-3980) Hitachi Energy MicroSCADA Pro SYS600: Apply Patch 9.4 FP2 HF6 (Installation of previous FP2 hotfixes are required prior to the installation of HF6)
- (CVE-2024-4872, CVE-2024-3980) Hitachi Energy MicroSCADA X SYS600, Hitachi Energy MicroSCADA Pro SYS600: Follow the general mitigation factors below.
- (CVE-2024-3982, CVE-2024-7940, CVE-2024-7941) Hitachi Energy MicroSCADA X SYS600: Follow the general mitigation factors below.
Hitachi Energy recommends the following security practices and firewall configurations to help protect process control networks from attacks that originate from outside the network:
- Ensure process control systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed.
- Process control systems should not be used for Internet
surfing, instant messaging, or receiving e-mails. - Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.
- Proper password policies and processes should be followed.
For detailed mitigation strategies, users can approach their Hitachi Energy organization contact.
Hitachi Electric highly recommends deploying the product following the “MicroSCADA cybersecurity deployment guideline” document. Users should maintain their systems with products running on supported versions and follow maintenance releases.
For more information, see Hitachi Energy Cybersecurity Advisory “Multiple vulnerabilities in Hitachi Energy MicroSCADA Pro/X SYS600 product”
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY
- November 26, 2024: Initial Publication