Hitachi Energy RTU500 series Improper Input Validation (CVE-2022-28613)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(500943);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/07/24");

  script_cve_id("CVE-2022-28613");

  script_name(english:"Hitachi Energy RTU500 series Improper Input Validation (CVE-2022-28613)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"A vulnerability in the HCI Modbus TCP COMPONENT of Hitachi Energy
RTU500 series CMU Firmware that is caused by the validation error in
the length information carried in MBAP header allows an ATTACKER to
reboot the device by sending a special crafted message. This issue
affects: Hitachi Energy RTU500 series CMU Firmware 12.0.*; 12.2.*;
12.4.*; 12.6.*; 12.7.*; 13.2.*.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  # https://search.abb.com/library/Download.aspx?DocumentID=8DBD000103&LanguageCode=en&DocumentPartId=&Action=Launch
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c31bf368");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-22-242-04");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Hitachi Energy made the following updates available to remediate the vulnerability:

- RTU500 series CMU firmware version 12.0.1.0–12.0.13.0: Update to version 12.0.14.0 or higher.
- RTU500 series CMU firmware version 12.2.1.0–12.2.11.0: Update to version 12.2.12.0 or higher.
- RTU500 series CMU firmware version 12.4.1.0–12.4.11.0: Update to version 12.4.12.0 or higher.
- RTU500 series CMU firmware version 12.6.1.0–12.6.7.0: Update to version 12.6.8.0 or higher.
- RTU500 series CMU firmware version 12.7.1.0–12.7.3.0: Update to version 12.7.4.0 or higher.
- RTU500 series CMU firmware version 13.2.1.0–13.2.4.0: Update to version 13.3.1.0, 13.2.5.0, or higher.

Because the vulnerability affects only the RTU500 series with HCI Modbus TCP configured and enabled, a possible
mitigation is to disable the HCI Modbus TCP function if not used. The HCI Modbus TCP is disabled by default.

Hitachi Energy recommends the following security practices and firewall configurations to help protect process control
networks from outside attacks:

- Physically protect process control systems from unauthorized direct access.
- Separate process control systems from other networks using a firewall system with only the necessary ports open.
- Process control systems should not be used for internet surfing, instant messaging, or receiving emails.
- Portable computers and removable storage media should be carefully scanned for viruses before connecting to a control
system.

For more information, see Hitachi Energy advisory 8DBD000103");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-28613");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(20);

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/05/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/05/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/03/29");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:abb:rtu500_firmware:12");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:abb:rtu500_firmware:13");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/ABB");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/ABB');

var asset = tenable_ot::assets::get(vendor:'ABB');

var vuln_cpes = {
    "cpe:/o:abb:rtu500_firmware:13" :
        {"versionEndExcluding" : "13.2.5.0", "versionStartIncluding" : "13.2.1.0", "family" : "AbbRTU500"},
    "cpe:/o:abb:rtu500_firmware:12.7" :
        {"versionEndExcluding" : "12.7.4.0", "versionStartIncluding" : "12.7.1.0", "family" : "AbbRTU500"},
    "cpe:/o:abb:rtu500_firmware:12.6" :
        {"versionEndExcluding" : "12.6.8.0", "versionStartIncluding" : "12.6.1.0", "family" : "AbbRTU500"},
    "cpe:/o:abb:rtu500_firmware:12.4" :
        {"versionEndExcluding" : "12.4.12.0", "versionStartIncluding" : "12.4.1.0", "family" : "AbbRTU500"},
    "cpe:/o:abb:rtu500_firmware:12.2" :
        {"versionEndExcluding" : "12.2.12.0", "versionStartIncluding" : "12.2.1.0", "family" : "AbbRTU500"},
    "cpe:/o:abb:rtu500_firmware:12" :
        {"versionEndExcluding" : "12.0.14.0", "versionStartIncluding" : "12.0.1.0", "family" : "AbbRTU500"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);