Cleartext storage of sensitive information in Hitachi Energy IED Connectivity Packages and PCM600 Products

1) Cleartext storage of sensitive information

EUVDB-ID: #VU69736

Risk: Low

CVSSv3.1: 6.2 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-2513

CWE-ID: CWE-312 - Cleartext Storage of Sensitive Information

Exploit availability: No

Description

The vulnerability allows a local attacker to gain access to potentially sensitive information.

The vulnerability exists due to user credentials are stored in plaintext in the database within the Intelligent Electronic Device (IED) Connectivity Package (ConnPack) credential storage function. A local attacker can obtain IED credentials.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

PCM600 Update Manager: 2.11

670 Connectivity Package: 3.0 - 3.4.1

650 Connectivity Package: 1.3 - 2.4.1

SAM600-IO Connectivity Package: 1.0 - 1.2

GMS600 Connectivity Package: 1.3 - 1.3.1

PWC600 Connectivity Package: 1.1 - 1.3

External links

http://search.abb.com/library/Download.aspx?DocumentID=8DBD000120&LanguageCode=en&DocumentPartId=&Action=Launch
http://www.cisa.gov/uscert/ics/advisories/icsa-22-333-02

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.