Hitachi Energy UNEM/ECST

Posted on Tuesday March 04, 2025

1. EXECUTIVE SUMMARY

CVSS v4 6.8
ATTENTION: Low Attack Complexity
Vendor: Hitachi Energy
Equipment: XMC20, ECST, UNEM
Vulnerability: Improper Validation of Certificate with Host Mismatch

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow attackers to intercept or falsify data exchanges between the client and the server.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Hitachi Energy reports that the following products are affected:

XMC20: Versions prior to R16B
ECST: Versions prior to 16.2.1
UNEM: Versions prior to R15A
UNEM: R15A
UNEM: R15B PC4 and prior
UNEM: R16A
UNEM: R16B PC2 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER VALIDATION OF CERTIFICATE WITH HOST MISMATCH CWE-297

Hitachi Energy is aware of a vulnerability that affects the ECST client application which if exploited could allow attackers to intercept or falsify data exchanges between the client and the server.

CVE-2024-2462 has been assigned to this vulnerability. A CVSS v3 base score of 4.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H).

A CVSS v4 score has also been calculated for  CVE-2024-2462. A base score of 6.8 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:H/SC:L/SI:N/SA:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Darius Pavelescu and Bernhard Rader from Limes Security reported this vulnerability to Hitachi Energy.

4. MITIGATIONS

Hitachi Energy has identified the following specific workarounds and mitigations users can apply to reduce risk:

UNEM R16B PC2 and earlier: Update to UNEM R16B PC3 or later and apply general mitigation factors.
UNEM R15B PC4 or prior: Update to UNEM R15B PC5 and apply general mitigation factors. (Update planned)
UNEM R16A, UNEM R15A: EOL versions - no fix will be available. Apply general mitigation factors. It should be noted that users with a UNEM R16A installation are entitled to an update to the UNEM R16B given the R16B is not in an inactive lifecycle state.
XMC20 less than R16B: Update to XMC20 R16B
ECST less than 16.2.1: Update to ECST_16.2.1

The following product versions have been fixed:

UNEM R16B PC3 or later is a fixed version.
UNEM R15B PC5 is a fixed version.
XMC20 R16B is a fixed version.
ECST 16.2.1 is a fixed version.

For more information see the associated security advisory 8DBD000203 - SSH Host Key Verification Vulnerability in Hitachi Energy's UNEM/ECST Product.

Hitachi Energy recommends users implement recommended security practices and firewall configurations to help protect the process control network from attacks originating from outside the network. Process control systems should be physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and be separated from other networks by means of a firewall system with a minimal number of ports exposed. Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.