Use of Hard-coded Cryptographic Key in Hitachi Energy products - CVE-2022-3927

 

Use of Hard-coded Cryptographic Key in Hitachi Energy products - CVE-2022-3927

Published: January 6, 2023


Vulnerability identifier: #VU70768
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:U/U:Clear
CVE-ID: CVE-2022-3927
CWE-ID: CWE-321
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Hitachi Energy
Affected software:
FOXMAN-UN R16A
FOXMAN-UN R15B
FOXMAN-UN R15A
FOXMAN-UN R14B
FOXMAN-UN R14A
FOXMAN-UN R11B
FOXMAN-UN R11A
FOXMAN-UN R10C
FOXMAN-UN R9C

Detailed vulnerability description

The vulnerability allows a remote user to compromise the target system.

The vulnerability exists due to the affected products contain public and private keys used to sign and protect custom parameter set (CPS) files from modification. A remote administrator can change the CPS file and sign it, so it is trusted as a legitimate CPS file.


How to mitigate CVE-2022-3927

Install updates from vendor's website.

Sources