9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.972 High
EPSS
Percentile
99.8%
Successful exploitation of these vulnerabilities could allow an attacker to compromise availability, integrity, and confidentiality of the targeted devices.
Hitachi Energy reports these vulnerabilities affect the following AFF660/665 products:
3.2.1 CROSS-SITE SCRIPTING CWE-79
In uClibc and uClibc-ng before 1.0.39, incorrect handling of special characters in domain names DNS servers returned via gethostbyname, getaddrinfo, gethostbyaddr, and getnameinfo could lead to output of wrong hostnames (leading to domain hijacking) or injection into applications (leading to remote code execution, XSS, applications crashes, etc.). In other words, a validation step, which is expected in any stub resolver, does not occur.
CVE-2021-43523 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
3.2.2 USE OF INSUFFICIENTLY RANDOM VALUES CWE-330
ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 could allow remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must rely on unauthenticated IPv4 time sources. There must be an off-path attacker who could query time from the victim’s ntpd instance.
CVE-2020-13817 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H).
3.2.3 ORIGIN VALIDATION ERROR CWE-346
ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 could allow an off-path attacker to block unauthenticated synchronization via a server mode packet with a spoofed source IP address because transmissions are rescheduled even when a packet lacks a valid origin timestamp.
CVE-2020-11868 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
3.2.4 INTEGER OVERFLOW OR WRAPAROUND CWE-190
TCP_SKB_CB(skb)->tcp_gso_segs value is subject to an integer overflow in the Linux kernel when handling TCP selective acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit.
CVE-2019-11477 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
3.2.5 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
A vulnerability named “non-responsive delegation attack” (NRDelegation attack) has been discovered in various DNS resolving software. The NRDelegation attack works by having a malicious delegation with a considerable number of non-responsive nameservers. The attack starts by querying a resolver for a record that relies on those unresponsive nameservers. The attack could cause a resolver to spend time/resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. It could trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation, which could lead to degraded performance and eventually denial of service in orchestrated attacks. Unbound does not suffer from high CPU usage, but still requires resources to resolve the malicious delegation. Unbound will continue to try to resolve the record until it reaches hard limits. Based on the nature of the attack and the replies, Unbound could reach different limits. From version 1.16.3 on, Unbound introduces fixes for better performance when under load by cutting opportunistic queries for nameserver discovery and DNSKEY prefetching and limiting the number of times a delegation point can issue a cache lookup for missing records.
CVE-2022-3204 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
3.2.6 NULL POINTER DEREFERENCE CWE-476
snmp_oid_compare in snmplib/snmp_api.c in NetSNMP before 5.8 has a NULL pointer exception bug that an unauthenticated attacker could use to remotely cause the instance to crash via a crafted UDP packet, resulting in denial of service.
CVE-2018-18066 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Hitachi Energy reported these vulnerabilities to CISA.
Hitachi Energy recommends the following actions:
Hitachi Energy recommends the following general mitigations:
For more information, see Hitachi Energy’s Security Advisory: 8DBD000167.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity.
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18066
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11477
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11868
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13817
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-43523
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3204
cisa.gov/ics
cisa.gov/ics
cwe.mitre.org/data/definitions/190.html
cwe.mitre.org/data/definitions/330.html
cwe.mitre.org/data/definitions/346.html
cwe.mitre.org/data/definitions/400.html
cwe.mitre.org/data/definitions/476.html
cwe.mitre.org/data/definitions/79.html
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
search.abb.com/library/Download.aspx?DocumentID=8DBD000167
twitter.com/CISAgov
twitter.com/intent/tweet?text=%E2%80%8BHitachi%20Energy%20AFF66x+https://www.cisa.gov/news-events/ics-advisories/icsa-23-234-01
us-cert.cisa.gov/ics/Recommended-Practices
us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-23-234-01&title=%E2%80%8BHitachi%20Energy%20AFF66x
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-23-234-01
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-23-234-01
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=%E2%80%8BHitachi%20Energy%20AFF66x&body=www.cisa.gov/news-events/ics-advisories/icsa-23-234-01
9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.972 High
EPSS
Percentile
99.8%