github - ghsa-rrwm-2vxq-5x2h

GHSA-RRWM-2VXQ-5X2H

Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2024-06-03 18:53

Details

A vulnerability exists in the Intelligent Electronic Device (IED) Connectivity Package (ConnPack) credential storage function in Hitachi Energy’s PCM600 product included in the versions listed below, where IEDs credentials are stored in a cleartext format in the PCM600 database. An attacker who manages to get access to the exported backup file can exploit the vulnerability and obtain credentials of the IEDs. The credentials may be used to perform unauthorized modifications such as loading incorrect configurations, reboot the IEDs or cause a denial-of-service on the IEDs.

Severity ?

5.5 (Medium)


                  
                    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-2513"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-22T11:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability exists in the Intelligent Electronic Device (IED) Connectivity Package (ConnPack) credential storage function in Hitachi Energy\u2019s PCM600 product included in the versions listed below, where IEDs credentials are stored in a cleartext format in the PCM600 database. An attacker who manages to get access to the exported backup file can exploit the vulnerability and obtain credentials of the IEDs. The credentials may be used to perform unauthorized modifications such as loading incorrect configurations, reboot the IEDs or cause a denial-of-service on the IEDs.",
  "id": "GHSA-rrwm-2vxq-5x2h",
  "modified": "2024-06-03T18:53:43Z",
  "published": "2023-07-06T19:24:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2513"
    },
    {
      "type": "WEB",
      "url": "https://publisher.hitachienergy.com/preview?DocumentID=8DBD000120\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
    },
    {
      "type": "WEB",
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000120\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2022-2513 (GCVE-0-2022-2513)

Vulnerability from cvelistv5 – Published: 2022-11-22 10:30 – Updated: 2025-08-27 20:32

Summary

A vulnerability exists in the Intelligent Electronic Device (IED) Connectivity Package (ConnPack) credential storage function in Hitachi Energy’s PCM600 product included in the versions listed below, where IEDs credentials are stored in a cleartext format in the PCM600 database and logs files. An attacker having get access to the exported backup file can exploit the vulnerability and obtain user credentials of the IEDs. Additionally, an attacker with administrator access to the PCM600 host machine can obtain other user credentials by analyzing database log files. The credentials may be used to perform unauthorized modifications such as loading incorrect configurations, reboot the IEDs or cause a denial-of-service on the IEDs.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CWE

CWE-312 - Cleartext Storage of Sensitive Information

Assigner

Hitachi Energy

References

URL

Tags

https://publisher.hitachienergy.com/preview?Docum…

Impacted products

Vendor

Product

Version

Hitachi Energy

PCM600

Affected: v2.6 , ≤ 2.11 Hotfix 20220617 (custom)

Hitachi Energy	670 Connectivity Package	Affected: 3.0 , ≤ 3.4.1 (semver)
Hitachi Energy	650 Connectivity Package	Affected: 1.3 , ≤ 2.4.1 (semver)
Hitachi Energy	SAM600-IO Connectivity Package	Affected: 1.0 , ≤ 1.2 (semver)
Hitachi Energy	GMS600 Connectivity Package	Affected: 1.3 , ≤ 1.3.1 (semver)
Hitachi Energy	PWC600 Connectivity Package	Affected: 1.1 , ≤ 1.3 (semver)

Credits

PSE - Polskie Sieci Elektroenergetyczne (Polish Power Grid Company (PPGC))

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T00:39:08.068Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://publisher.hitachienergy.com/preview?DocumentID=8DBD000120\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-2513",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-25T20:57:36.531395Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-27T20:32:51.508Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PCM600",
          "vendor": "Hitachi Energy",
          "versions": [
            {
              "lessThanOrEqual": "2.11 Hotfix 20220617",
              "status": "affected",
              "version": "v2.6",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "670 Connectivity Package",
          "vendor": "Hitachi Energy",
          "versions": [
            {
              "lessThanOrEqual": "3.4.1",
              "status": "affected",
              "version": "3.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "650 Connectivity Package",
          "vendor": "Hitachi Energy",
          "versions": [
            {
              "lessThanOrEqual": "2.4.1",
              "status": "affected",
              "version": "1.3",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "SAM600-IO Connectivity Package",
          "vendor": "Hitachi Energy",
          "versions": [
            {
              "lessThanOrEqual": "1.2",
              "status": "affected",
              "version": "1.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "GMS600 Connectivity Package",
          "vendor": "Hitachi Energy",
          "versions": [
            {
              "lessThanOrEqual": "1.3.1",
              "status": "affected",
              "version": "1.3",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "PWC600 Connectivity Package",
          "vendor": "Hitachi Energy",
          "versions": [
            {
              "lessThanOrEqual": "1.3",
              "status": "affected",
              "version": "1.1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "PSE - Polskie Sieci Elektroenergetyczne (Polish Power Grid Company (PPGC))"
        }
      ],
      "datePublic": "2022-11-15T13:30:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A vulnerability exists in the Intelligent Electronic Device (IED) Connectivity Package (ConnPack) credential storage function in Hitachi Energy\u2019s PCM600 product included in the versions listed below, where IEDs credentials are stored in a cleartext format in the PCM600 database and logs files. An attacker having get access to the exported backup file can exploit the vulnerability and obtain user credentials of the IEDs. Additionally, an attacker with administrator access to the PCM600 host machine can obtain other user credentials by analyzing database log files. The credentials may be used to perform unauthorized modifications such as loading incorrect configurations, reboot the IEDs or cause a denial-of-service on the IEDs.\u003cbr\u003e\u003cbr\u003e"
            }
          ],
          "value": "A vulnerability exists in the Intelligent Electronic Device (IED) Connectivity Package (ConnPack) credential storage function in Hitachi Energy\u2019s PCM600 product included in the versions listed below, where IEDs credentials are stored in a cleartext format in the PCM600 database and logs files. An attacker having get access to the exported backup file can exploit the vulnerability and obtain user credentials of the IEDs. Additionally, an attacker with administrator access to the PCM600 host machine can obtain other user credentials by analyzing database log files. The credentials may be used to perform unauthorized modifications such as loading incorrect configurations, reboot the IEDs or cause a denial-of-service on the IEDs."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-37",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-312",
              "description": "CWE-312 Cleartext Storage of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-28T10:20:49.089Z",
        "orgId": "e383dce4-0c27-4495-91c4-0db157728d17",
        "shortName": "Hitachi Energy"
      },
      "references": [
        {
          "url": "https://publisher.hitachienergy.com/preview?DocumentID=8DBD000120\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update to PCM600 v2.11 Hotfix 20240426 or apply mitigation\nfactors/workarounds as described in the Mitigation Factors/Workarounds Section.\u003cbr\u003e\u003cbr\u003eList of CPEs:\u0026nbsp;\u003cbr\u003ecpe:2.3:a:hitachienergy:pcm600:*:*:*:*:*:*:*:*\u003cbr\u003e\u003cbr\u003ecpe:2.3:a:hitachienergy:670ConnectivityPackage:3.4.1:*:*:*:*:*:*:*\u003cbr\u003e\n\ncpe:2.3:a:hitachienergy:670ConnectivityPackage:3.3.0:*:*:*:*:*:*:*\n\u003cbr\u003e\n\n\ncpe:2.3:a:hitachienergy:670ConnectivityPackage:3.2.6:*:*:*:*:*:*:*\n\n\u003cbr\u003e\n\ncpe:2.3:a:hitachienergy:670ConnectivityPackage:3.1.2:*:*:*:*:*:*:*\u003cbr\u003e\n\n\n\ncpe:2.3:a:hitachienergy:670ConnectivityPackage:3.0.2:*:*:*:*:*:*:*\u003cbr\u003e\n\n\u003cbr\u003ecpe:2.3:a:hitachienergy:650ConnectivityPackage:2.4.1:*:*:*:*:*:*:*\u003cbr\u003e\n\ncpe:2.3:a:hitachienergy:650ConnectivityPackage:2.3.0:*:*:*:*:*:*:*\u003cbr\u003e\n\n\n\ncpe:2.3:a:hitachienergy:650ConnectivityPackage:2.2.2:*:*:*:*:*:*:*\u003cbr\u003e\n\n\n\ncpe:2.3:a:hitachienergy:650ConnectivityPackage:2.1.2:*:*:*:*:*:*:*\u003cbr\u003e\n\n\n\ncpe:2.3:a:hitachienergy:650ConnectivityPackage:1.3.0:*:*:*:*:*:*:*\u003cbr\u003e\n\n\u003cbr\u003ecpe:2.3:a:hitachienergy:sam600ioConnectivityPackage:1.2.0:*:*:*:*:*:*:*\u003cbr\u003e\n\ncpe:2.3:a:hitachienergy:sam600ioConnectivityPackage:1.1.0:*:*:*:*:*:*:*\u003cbr\u003e\n\n\n\ncpe:2.3:a:hitachienergy:sam600ioConnectivityPackage:1.0.0:*:*:*:*:*:*:*\n\n\u003cbr\u003e\u003cbr\u003ecpe:2.3:a:hitachienergy:pwc600ConnectivityPackage:1.3.0:*:*:*:*:*:*:*\u003cbr\u003e\n\ncpe:2.3:a:hitachienergy:pwc600ConnectivityPackage:1.2.0:*:*:*:*:*:*:*\n\n\u003cbr\u003e\n\ncpe:2.3:a:hitachienergy:pwc600ConnectivityPackage:1.1.2:*:*:*:*:*:*:*\n\n\u003cbr\u003e\n\ncpe:2.3:a:hitachienergy:pwc600ConnectivityPackage:1.1.1:*:*:*:*:*:*:*\n\n\u003cbr\u003e\n\ncpe:2.3:a:hitachienergy:pwc600ConnectivityPackage:1.1.0:*:*:*:*:*:*:*\n\n\u003cbr\u003e\u003cbr\u003ecpe:2.3:a:hitachienergy:gms600ConnectivityPackage:1.3.1:*:*:*:*:*:*:*\u003cbr\u003e\n\ncpe:2.3:a:hitachienergy:gms600ConnectivityPackage:1.3.0:*:*:*:*:*:*:*\n\n\u003cbr\u003e \n\n\u003cbr\u003e"
            }
          ],
          "value": "Update to PCM600 v2.11 Hotfix 20240426 or apply mitigation\nfactors/workarounds as described in the Mitigation Factors/Workarounds Section.\n\nList of CPEs:\u00a0\ncpe:2.3:a:hitachienergy:pcm600:*:*:*:*:*:*:*:*\n\ncpe:2.3:a:hitachienergy:670ConnectivityPackage:3.4.1:*:*:*:*:*:*:*\n\n\ncpe:2.3:a:hitachienergy:670ConnectivityPackage:3.3.0:*:*:*:*:*:*:*\n\n\n\n\ncpe:2.3:a:hitachienergy:670ConnectivityPackage:3.2.6:*:*:*:*:*:*:*\n\n\n\n\ncpe:2.3:a:hitachienergy:670ConnectivityPackage:3.1.2:*:*:*:*:*:*:*\n\n\n\n\ncpe:2.3:a:hitachienergy:670ConnectivityPackage:3.0.2:*:*:*:*:*:*:*\n\n\n\ncpe:2.3:a:hitachienergy:650ConnectivityPackage:2.4.1:*:*:*:*:*:*:*\n\n\ncpe:2.3:a:hitachienergy:650ConnectivityPackage:2.3.0:*:*:*:*:*:*:*\n\n\n\n\ncpe:2.3:a:hitachienergy:650ConnectivityPackage:2.2.2:*:*:*:*:*:*:*\n\n\n\n\ncpe:2.3:a:hitachienergy:650ConnectivityPackage:2.1.2:*:*:*:*:*:*:*\n\n\n\n\ncpe:2.3:a:hitachienergy:650ConnectivityPackage:1.3.0:*:*:*:*:*:*:*\n\n\n\ncpe:2.3:a:hitachienergy:sam600ioConnectivityPackage:1.2.0:*:*:*:*:*:*:*\n\n\ncpe:2.3:a:hitachienergy:sam600ioConnectivityPackage:1.1.0:*:*:*:*:*:*:*\n\n\n\n\ncpe:2.3:a:hitachienergy:sam600ioConnectivityPackage:1.0.0:*:*:*:*:*:*:*\n\n\n\ncpe:2.3:a:hitachienergy:pwc600ConnectivityPackage:1.3.0:*:*:*:*:*:*:*\n\n\ncpe:2.3:a:hitachienergy:pwc600ConnectivityPackage:1.2.0:*:*:*:*:*:*:*\n\n\n\n\ncpe:2.3:a:hitachienergy:pwc600ConnectivityPackage:1.1.2:*:*:*:*:*:*:*\n\n\n\n\ncpe:2.3:a:hitachienergy:pwc600ConnectivityPackage:1.1.1:*:*:*:*:*:*:*\n\n\n\n\ncpe:2.3:a:hitachienergy:pwc600ConnectivityPackage:1.1.0:*:*:*:*:*:*:*\n\n\n\ncpe:2.3:a:hitachienergy:gms600ConnectivityPackage:1.3.1:*:*:*:*:*:*:*\n\n\ncpe:2.3:a:hitachienergy:gms600ConnectivityPackage:1.3.0:*:*:*:*:*:*:*"
        }
      ],
      "source": {
        "advisory": "8DBD000120",
        "discovery": "EXTERNAL"
      },
      "title": "Cleartext Credentials Vulnerability on Hitachi Energy\u2019s Multiple IED Connectivity Packages (IED ConnPacks) and PCM600 Products",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "It is recommended to implement and continuously revise least privileges principles to minimize permissions and\naccesses to PCM600 related resources, included the backup file, PCMI/PCMP file.\u003cbr\u003e\u003cbr\u003e Recommended security\npractices and firewall configurations can help protect a process control network from attacks that originate from\noutside the network. Such practices include that process control systems are physically protected from direct\naccess by unauthorized personnel, have no direct connections to the Internet, and are separated from other\nnetworks by means of a firewall system that has a minimal number of ports exposed, and others that have to be\nevaluated case by case. Process control systems should not be used for Internet surfing, instant messaging, or\nreceiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses\nbefore they are connected to a control system. \u003cbr\u003e\u003cbr\u003eAn additional recommendation is to follow the hardening guidelines published by \u201cThe Center for Internet Security\n(CIS)\u201d \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.cisecurity.org/about-us/\"\u003ehttps://www.cisecurity.org/about-us/\u003c/a\u003e to protect the host Operating System.\n\u003cbr\u003e\u003cbr\u003eMore information to deploy PCM600 securely can be found in the following documents:\n1MRS758440, PCM600 Cyber Security Deployment Guideline\n\n\n\n\n\u003cbr\u003e"
            }
          ],
          "value": "It is recommended to implement and continuously revise least privileges principles to minimize permissions and\naccesses to PCM600 related resources, included the backup file, PCMI/PCMP file.\n\n Recommended security\npractices and firewall configurations can help protect a process control network from attacks that originate from\noutside the network. Such practices include that process control systems are physically protected from direct\naccess by unauthorized personnel, have no direct connections to the Internet, and are separated from other\nnetworks by means of a firewall system that has a minimal number of ports exposed, and others that have to be\nevaluated case by case. Process control systems should not be used for Internet surfing, instant messaging, or\nreceiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses\nbefore they are connected to a control system. \n\nAn additional recommendation is to follow the hardening guidelines published by \u201cThe Center for Internet Security\n(CIS)\u201d  https://www.cisecurity.org/about-us/  to protect the host Operating System.\n\n\nMore information to deploy PCM600 securely can be found in the following documents:\n1MRS758440, PCM600 Cyber Security Deployment Guideline"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e383dce4-0c27-4495-91c4-0db157728d17",
    "assignerShortName": "Hitachi Energy",
    "cveId": "CVE-2022-2513",
    "datePublished": "2022-11-22T10:30:34.309Z",
    "dateReserved": "2022-07-22T13:30:13.171Z",
    "dateUpdated": "2025-08-27T20:32:51.508Z",
    "requesterUserId": "add9a720-9bad-45a2-bedc-fce6888e4172",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-RRWM-2VXQ-5X2H

CVE-2022-2513 (GCVE-0-2022-2513)

Tags

Sightings

Nomenclature