SB2023010610 - Multiple vulnerabilities in Hitachi Energy UNEM

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023010610

SB2023010610 - Multiple vulnerabilities in Hitachi Energy UNEM

Published: January 6, 2023

Security Bulletin ID SB2023010610
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 vulnerabilities.


1) Inadequate Encryption Strength (CVE-ID: CVE-2021-40341)

CWE-ID: CWE-326 - Inadequate Encryption Strength

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local attacker to compromise the target system.

The vulnerability exists due to inadequate encryption strength within the DES cypher. A local attacker can decrypt the cypher in a short time.


2) Cryptographic issues (CVE-ID: CVE-2021-40342)

CWE-ID: CWE-310 - Cryptographic Issues

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local attacker to compromise the target system.

The vulnerability exists due to the affected products use a DES implementation with a default key for encryption. A local attacker can obtain sensitive information and gain access to network elements managed by the FOXMAN-UN.


3) Use of Hard-coded Cryptographic Key (CVE-ID: CVE-2022-3927)

CWE-ID: CWE-321 - Use of Hard-coded Cryptographic Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:U/U:Clear


The vulnerability allows a remote user to compromise the target system.

The vulnerability exists due to the affected products contain public and private keys used to sign and protect custom parameter set (CPS) files from modification. A remote administrator can change the CPS file and sign it, so it is trusted as a legitimate CPS file.


4) Use of Hard-coded Cryptographic Key (CVE-ID: CVE-2022-3928)

CWE-ID: CWE-321 - Use of Hard-coded Cryptographic Key

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local attacker to compromise the target system.

The vulnerability exists due to the message queue contains a hard-coded credential. A local attacker can access data from the internal message queue.


5) Cleartext transmission of sensitive information (CVE-ID: CVE-2022-3929)

CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to software uses common object request broker architecture CORBA (CORBA) to transmit sensitive information. A remote attacker with ability to intercept network traffic can gain trace internal messages.


Remediation

Install update from vendor's website.

References