#VU70768 Use of Hard-coded Cryptographic Key in Hitachi Energy products - CVE-2022-3927
Vulnerability identifier: #VU70768
Vulnerability risk: Low
CVSSv4.0: 1.4 [CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-321
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
FOXMAN-UN R16A
Server applications /
Other server solutions
FOXMAN-UN R15B
Server applications /
Other server solutions
FOXMAN-UN R15A
Server applications /
Other server solutions
FOXMAN-UN R14B
Server applications /
Other server solutions
FOXMAN-UN R14A
Server applications /
Other server solutions
FOXMAN-UN R11B
Server applications /
Other server solutions
FOXMAN-UN R11A
Server applications /
Other server solutions
FOXMAN-UN R10C
Server applications /
Other server solutions
FOXMAN-UN R9C
Server applications /
Other server solutions
Vendor: Hitachi Energy
Description
The vulnerability allows a remote user to compromise the target system.
The vulnerability exists due to the affected products contain public and private keys used to sign and protect custom parameter set (CPS) files from modification. A remote administrator can change the CPS file and sign it, so it is trusted as a legitimate CPS file.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
FOXMAN-UN R16A: All versions
FOXMAN-UN R15B: All versions
FOXMAN-UN R15A: All versions
FOXMAN-UN R14B: All versions
FOXMAN-UN R14A: All versions
FOXMAN-UN R11B: All versions
FOXMAN-UN R11A: All versions
FOXMAN-UN R10C: All versions
FOXMAN-UN R9C: All versions
External links
https://search.abb.com/library/Download.aspx?DocumentID=8DBD000083&LanguageCode=en&DocumentPartId=&Action=Launch
https://www.cisa.gov/uscert/ics/advisories/icsa-23-005-02
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
