SB2023010610 - Multiple vulnerabilities in Hitachi Energy UNEM
Published: January 6, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) Inadequate Encryption Strength (CVE-ID: CVE-2021-40341)
The vulnerability allows a local attacker to compromise the target system.
The vulnerability exists due to inadequate encryption strength within the DES cypher. A local attacker can decrypt the cypher in a short time.
2) Cryptographic issues (CVE-ID: CVE-2021-40342)
The vulnerability allows a local attacker to compromise the target system.
The vulnerability exists due to the affected products use a DES implementation with a default key for encryption. A local attacker can obtain sensitive information and gain access to network elements managed by the FOXMAN-UN.
3) Use of Hard-coded Cryptographic Key (CVE-ID: CVE-2022-3927)
The vulnerability allows a remote user to compromise the target system.
The vulnerability exists due to the affected products contain public and private keys used to sign and protect custom parameter set (CPS) files from modification. A remote administrator can change the CPS file and sign it, so it is trusted as a legitimate CPS file.
4) Use of Hard-coded Cryptographic Key (CVE-ID: CVE-2022-3928)
The vulnerability allows a local attacker to compromise the target system.
The vulnerability exists due to the message queue contains a hard-coded credential. A local attacker can access data from the internal message queue.
5) Cleartext transmission of sensitive information (CVE-ID: CVE-2022-3929)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to software uses common object request broker architecture CORBA (CORBA) to transmit sensitive information. A remote attacker with ability to intercept network traffic can gain trace internal messages.
Remediation
Install update from vendor's website.