CVE-2023-1514 HIGH

Published: 2023-12-19 | Last Modified: 2024-11-21 | Status: Modified

Description

A vulnerability exists in the component RTU500 Scripting interface. When a client connects to a server using TLS, the server presents a certificate. This certificate links a public key to the identity of the service and is signed by a Certification Authority (CA), allowing the client to validate that the remote service can be trusted and is not malicious. If the client does not validate the parameters of the certificate, then attackers could be able to spoof the identity of the service. An attacker could exploit the vulnerability by using faking the identity of a RTU500 device and intercepting the messages initiated via the RTU500 Scripting interface.

Additional Descriptions (1)

Existe una vulnerabilidad en RTU500 Scripting interface. Cuando un cliente se conecta a un servidor mediante TLS, el servidor presenta un certificado. Este certificado vincula una clave pública a la identidad del servicio y está firmado por Certification Authority (CA), lo que permite al cliente validar que se puede confiar en el servicio remoto y que no es malicioso. Si el cliente no valida los parámetros del certificado, los atacantes podrían falsificar la identidad del servicio. Un atacante podría aprovechar la vulnerabilidad falsificando la identidad de un dispositivo RTU500 e interceptando los mensajes iniciados a través de RTU500 Scripting interface.

CVSS Metrics

Base Score: 7.5 (HIGH)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector	NETWORK
Attack Complexity	LOW
Privileges Required	NONE
User Interaction	NONE
Scope	UNCHANGED
Confidentiality Impact	NONE
Integrity Impact	HIGH
Availability Impact	NONE

Source: [email protected]

Type: Primary

Exploitability Score: 3.9

Impact Score: 3.6

Weaknesses

Source	Type	Description
[email protected]	Secondary	en CWE-295
[email protected]	Primary	en CWE-295

Affected Products

Vendor	Product	Version	Update	Type
hitachienergy	rtu500_scripting_interface	1.0.1.30	<built-in method update of dict object at 0x72a9cd08f8c0>	Application
hitachienergy	rtu500_scripting_interface	1.0.2	<built-in method update of dict object at 0x72a963c69d40>	Application
hitachienergy	rtu500_scripting_interface	1.1.1	<built-in method update of dict object at 0x72a9cd08c2c0>	Application

Affected Configurations

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:a:hitachienergy:rtu500_scripting_interface:1.0.1.30:::::::*`
Yes	`cpe:2.3:a:hitachienergy:rtu500_scripting_interface:1.0.2:::::::*`
Yes	`cpe:2.3:a:hitachienergy:rtu500_scripting_interface:1.1.1:::::::*`

References

https://publisher.hitachienergy.com/preview?DocumentId=8DBD000152&languageCode=en&Preview=true
Source: [email protected]

Vendor Advisory
https://publisher.hitachienergy.com/preview?DocumentId=8DBD000152&languageCode=en&Preview=true
Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory