5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.6 High
AI Score
Confidence
Low
0.124 Low
EPSS
Percentile
95.5%
Successful exploitation of these vulnerabilities could allow an attacker to eavesdrop on traffic or to cause a denial-of-service condition.
Hitachi Energy reports these vulnerabilities affect the following System Data Manager products:
In affected OpenSSL versions, the Raccoon attack exploits a flaw in the TLS specification that can lead to an attacker computing the pre-master secret in connections that have used a Diffie-Hellman-based ciphersuite. This allows the attacker to eavesdrop on all encrypted communications sent over that TLS connection.
CVE-2020-1968 has been assigned to this vulnerability. A CVSS v3 base score of 3.7 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
In affected versions of OpenLDAP, LDAP search filters with nested boolean expressions can result in a denial-of-service condition.
CVE-2020-12243 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A flaw in affected versions of the OpenLDAP slapd server may cause an assertion failure when processing a malicious packet. This may lead to a denial-of-service condition.
CVE-2020-25709 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A flaw in affected versions of OpenLDAP allows an attacker who sends a malicious packet processed by OpenLDAP to force a failed assertion in csnNormalize23() function. This may lead to a denial-of-service condition.
CVE-2020-25710 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A flaw was discovered in ldap_X509dn2bv in affected OpenLDAP versions leading to a slapd crash in the X.509 DN parsing in ad_keystring, resulting in a denial-of-service condition.
CVE-2020-36229 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A flaw was discovered in affected OpenLDAP versions leading in an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in a denial-of-service condition.
CVE-2020-36230 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A flaw in affected versions of OpenSSL may cause calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate to overflow the output length argument in some cases where the input length is close to the maximum permissible length for an integer on the platform. This could lead to applications behaving incorrectly.
CVE-2021-23840 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Hitachi Energy reported these vulnerabilities to CISA.
The vulnerabilities are remediated as of the following product Version SDM600 Version 1.2 FP2 HF10 (Build Nr. 1.2.14002.506). Hitachi Energy recommends users apply the update at the earliest convenience from the SDM600 product website.
Hitachi Energy also recommends the following general security mitigations:
For additional information, see the Hitachi Energy security advisory.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12243
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1968
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25709
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25710
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-36229
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-36230
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23840
cwe.mitre.org/data/definitions/190.html
cwe.mitre.org/data/definitions/203.html
cwe.mitre.org/data/definitions/617.html
cwe.mitre.org/data/definitions/617.html
cwe.mitre.org/data/definitions/617.html
cwe.mitre.org/data/definitions/674.html
cwe.mitre.org/data/definitions/843.html
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
search.abb.com/library/Download.aspx?DocumentID=8DBD000074&LanguageCode=en&DocumentPartId=&Action=Launch
twitter.com/CISAgov
twitter.com/intent/tweet?text=Hitachi%20Energy%20System%20Data%20Manager+https://www.cisa.gov/news-events/ics-advisories/icsa-22-116-01
www.cisa.gov/uscert/ics
www.cisa.gov/uscert/ics
www.cisa.gov/uscert/ics/recommended-practices
www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B
www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-22-116-01&title=Hitachi%20Energy%20System%20Data%20Manager
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.hitachiabb-powergrids.com/ch/en/offering/product-and-system/scada/microscada-x/sdm600
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-22-116-01
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-22-116-01
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Hitachi%20Energy%20System%20Data%20Manager&body=www.cisa.gov/news-events/ics-advisories/icsa-22-116-01
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.6 High
AI Score
Confidence
Low
0.124 Low
EPSS
Percentile
95.5%