Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2021-35534 (GCVE-0-2021-35534)
Vulnerability from cvelistv5 – Published: 2021-11-18 16:35 – Updated: 2024-09-16 18:45
VLAI
EPSS
Title
Insufficient Security Control Vulnerability
Summary
Insufficient security control vulnerability in internal database access mechanism of Hitachi Energy Relion 670/650/SAM600-IO, Relion 650, GMS600, PWC600 allows attacker who successfully exploited this vulnerability, of which the product does not sufficiently restrict access to an internal database tables, could allow anybody with user credentials to bypass security controls that is enforced by the product. Consequently, exploitation may lead to unauthorized modifications on data/firmware, and/or to permanently disabling the product. This issue affects: Hitachi Energy Relion 670 Series 2.0 all revisions; 2.2.2 all revisions; 2.2.3 versions prior to 2.2.3.5. Hitachi Energy Relion 670/650 Series 2.1 all revisions. 2.2.0 all revisions; 2.2.4 all revisions; Hitachi Energy Relion 670/650/SAM600-IO 2.2.1 all revisions; 2.2.5 versions prior to 2.2.5.2. Hitachi Energy Relion 650 1.0 all revisions. 1.1 all revisions; 1.2 all revisions; 1.3 versions prior to 1.3.0.8; Hitachi Energy GMS600 1.3.0; 1.3.0.1; 1.2.0. Hitachi Energy PWC600 1.0.1 version 1.0.1.4 and prior versions; 1.1.0 version 1.1.0.1 and prior versions.
Severity
7.2 (High)
CWE
- CWE-274 - Improper Handling of Insufficient Privileges
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://search.abb.com/library/Download.aspx?Docu… | x_refsource_CONFIRM |
| https://search.abb.com/library/Download.aspx?Docu… | x_refsource_CONFIRM |
| https://search.abb.com/library/Download.aspx?Docu… | x_refsource_CONFIRM |
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| Hitachi Energy | Relion 670 Series |
Affected:
2.0 all revisions
Affected: 2.2.2 all revisions Affected: 2.2.3 , < 2.2.3.5 (custom) |
|
| Hitachi Energy | Relion 670/650 Series |
Affected:
2.2.0 all revisions
Affected: 2.2.4 all revisions Affected: 2.1 all revisions |
|
| Hitachi Energy | Relion 670/650/SAM600-IO |
Affected:
2.2.1 all revisions
Affected: 2.2.5 , < 2.2.5.2 (custom) |
|
| Hitachi Energy | Relion 650 |
Affected:
1.1 all revisions
Affected: 1.2 all revisions Affected: 1.0 all revisions Affected: 1.3 , < 1.3.0.8 (custom) |
|
| Hitachi Energy | GMS600 |
Affected:
1.3.0
Affected: 1.3.1.0 1.3.0.1 Affected: 1.2.0 |
|
| Hitachi Energy | PWC600 |
Affected:
1.0.1 , ≤ 1.0.1.4
(custom)
Affected: 1.1.0 , ≤ 1.1.0.1 (custom) |
Date Public
2021-11-04 00:00
Credits
Hitachi Energy thanks the following for working with us to help protect customers: U.S. Department of Energy CyTRICS researcher Robert Erbes.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:40:47.237Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000058\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000059\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000060\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Relion 670 Series",
"vendor": "Hitachi Energy",
"versions": [
{
"status": "affected",
"version": "2.0 all revisions"
},
{
"status": "affected",
"version": "2.2.2 all revisions"
},
{
"lessThan": "2.2.3.5",
"status": "affected",
"version": "2.2.3",
"versionType": "custom"
}
]
},
{
"product": "Relion 670/650 Series",
"vendor": "Hitachi Energy",
"versions": [
{
"status": "affected",
"version": "2.2.0 all revisions"
},
{
"status": "affected",
"version": "2.2.4 all revisions"
},
{
"status": "affected",
"version": "2.1 all revisions"
}
]
},
{
"product": "Relion 670/650/SAM600-IO",
"vendor": "Hitachi Energy",
"versions": [
{
"status": "affected",
"version": "2.2.1 all revisions"
},
{
"lessThan": "2.2.5.2",
"status": "affected",
"version": "2.2.5",
"versionType": "custom"
}
]
},
{
"product": "Relion 650",
"vendor": "Hitachi Energy",
"versions": [
{
"status": "affected",
"version": "1.1 all revisions"
},
{
"status": "affected",
"version": "1.2 all revisions"
},
{
"status": "affected",
"version": "1.0 all revisions"
},
{
"lessThan": "1.3.0.8",
"status": "affected",
"version": "1.3",
"versionType": "custom"
}
]
},
{
"product": "GMS600",
"vendor": "Hitachi Energy",
"versions": [
{
"status": "affected",
"version": "1.3.0"
},
{
"status": "affected",
"version": "1.3.1.0 1.3.0.1"
},
{
"status": "affected",
"version": "1.2.0"
}
]
},
{
"product": "PWC600",
"vendor": "Hitachi Energy",
"versions": [
{
"lessThanOrEqual": "1.0.1.4",
"status": "affected",
"version": "1.0.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "1.1.0.1",
"status": "affected",
"version": "1.1.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Hitachi Energy thanks the following for working with us to help protect customers: U.S. Department of Energy CyTRICS researcher Robert Erbes."
}
],
"datePublic": "2021-11-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Insufficient security control vulnerability in internal database access mechanism of Hitachi Energy Relion 670/650/SAM600-IO, Relion 650, GMS600, PWC600 allows attacker who successfully exploited this vulnerability, of which the product does not sufficiently restrict access to an internal database tables, could allow anybody with user credentials to bypass security controls that is enforced by the product. Consequently, exploitation may lead to unauthorized modifications on data/firmware, and/or to permanently disabling the product. This issue affects: Hitachi Energy Relion 670 Series 2.0 all revisions; 2.2.2 all revisions; 2.2.3 versions prior to 2.2.3.5. Hitachi Energy Relion 670/650 Series 2.1 all revisions. 2.2.0 all revisions; 2.2.4 all revisions; Hitachi Energy Relion 670/650/SAM600-IO 2.2.1 all revisions; 2.2.5 versions prior to 2.2.5.2. Hitachi Energy Relion 650 1.0 all revisions. 1.1 all revisions; 1.2 all revisions; 1.3 versions prior to 1.3.0.8; Hitachi Energy GMS600 1.3.0; 1.3.0.1; 1.2.0. Hitachi Energy PWC600 1.0.1 version 1.0.1.4 and prior versions; 1.1.0 version 1.1.0.1 and prior versions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-274",
"description": "CWE-274 Improper Handling of Insufficient Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-18T16:35:03.000Z",
"orgId": "e383dce4-0c27-4495-91c4-0db157728d17",
"shortName": "Hitachi Energy"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000058\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000059\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000060\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"solutions": [
{
"lang": "en",
"value": "Refer to the cybersecurity advisories at https://www.hitachienergy.com/cybersecurity/alerts-and-notifications"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Insufficient Security Control Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@hitachienergy.com",
"DATE_PUBLIC": "2021-11-04T11:00:00.000Z",
"ID": "CVE-2021-35534",
"STATE": "PUBLIC",
"TITLE": "Insufficient Security Control Vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Relion 670 Series",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "2.0",
"version_value": "2.0 all revisions"
},
{
"version_affected": "=",
"version_name": "2.2.2",
"version_value": "2.2.2 all revisions"
},
{
"version_affected": "\u003c",
"version_name": "2.2.3",
"version_value": "2.2.3.5"
}
]
}
},
{
"product_name": "Relion 670/650 Series",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "2.2.0",
"version_value": "2.2.0 all revisions"
},
{
"version_affected": "=",
"version_name": "2.2.4",
"version_value": "2.2.4 all revisions"
},
{
"version_affected": "=",
"version_name": "2.1",
"version_value": "2.1 all revisions"
}
]
}
},
{
"product_name": "Relion 670/650/SAM600-IO",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "2.2.1",
"version_value": "2.2.1 all revisions"
},
{
"version_affected": "\u003c",
"version_name": "2.2.5",
"version_value": "2.2.5.2"
}
]
}
},
{
"product_name": "Relion 650",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "1.1",
"version_value": "1.1 all revisions"
},
{
"version_affected": "=",
"version_name": "1.2",
"version_value": "1.2 all revisions"
},
{
"version_affected": "\u003c",
"version_name": "1.3",
"version_value": "1.3.0.8"
},
{
"version_name": "1.0",
"version_value": "1.0 all revisions"
}
]
}
},
{
"product_name": "GMS600",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "1.3.0",
"version_value": "1.3.0"
},
{
"version_affected": "=",
"version_name": "1.3.1.0",
"version_value": "1.3.0.1"
},
{
"version_affected": "=",
"version_name": "1.2.0",
"version_value": "1.2.0"
}
]
}
},
{
"product_name": "PWC600",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.0.1",
"version_value": "1.0.1.4"
},
{
"version_affected": "\u003c=",
"version_name": "1.1.0",
"version_value": "1.1.0.1"
}
]
}
}
]
},
"vendor_name": "Hitachi Energy"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Hitachi Energy thanks the following for working with us to help protect customers: U.S. Department of Energy CyTRICS researcher Robert Erbes."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Insufficient security control vulnerability in internal database access mechanism of Hitachi Energy Relion 670/650/SAM600-IO, Relion 650, GMS600, PWC600 allows attacker who successfully exploited this vulnerability, of which the product does not sufficiently restrict access to an internal database tables, could allow anybody with user credentials to bypass security controls that is enforced by the product. Consequently, exploitation may lead to unauthorized modifications on data/firmware, and/or to permanently disabling the product. This issue affects: Hitachi Energy Relion 670 Series 2.0 all revisions; 2.2.2 all revisions; 2.2.3 versions prior to 2.2.3.5. Hitachi Energy Relion 670/650 Series 2.1 all revisions. 2.2.0 all revisions; 2.2.4 all revisions; Hitachi Energy Relion 670/650/SAM600-IO 2.2.1 all revisions; 2.2.5 versions prior to 2.2.5.2. Hitachi Energy Relion 650 1.0 all revisions. 1.1 all revisions; 1.2 all revisions; 1.3 versions prior to 1.3.0.8; Hitachi Energy GMS600 1.3.0; 1.3.0.1; 1.2.0. Hitachi Energy PWC600 1.0.1 version 1.0.1.4 and prior versions; 1.1.0 version 1.1.0.1 and prior versions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-274 Improper Handling of Insufficient Privileges"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000058\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
"refsource": "CONFIRM",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000058\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"name": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000059\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
"refsource": "CONFIRM",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000059\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"name": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000060\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
"refsource": "CONFIRM",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000060\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
]
},
"solution": [
{
"lang": "en",
"value": "Refer to the cybersecurity advisories at https://www.hitachienergy.com/cybersecurity/alerts-and-notifications"
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e383dce4-0c27-4495-91c4-0db157728d17",
"assignerShortName": "Hitachi Energy",
"cveId": "CVE-2021-35534",
"datePublished": "2021-11-18T16:35:03.214Z",
"dateReserved": "2021-06-28T00:00:00.000Z",
"dateUpdated": "2024-09-16T18:45:19.607Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2021-35534",
"date": "2026-06-14",
"epss": "0.00147",
"percentile": "0.35114"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2021-35534\",\"sourceIdentifier\":\"cybersecurity@hitachienergy.com\",\"published\":\"2021-11-18T17:15:08.397\",\"lastModified\":\"2024-11-21T06:12:27.813\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Insufficient security control vulnerability in internal database access mechanism of Hitachi Energy Relion 670/650/SAM600-IO, Relion 650, GMS600, PWC600 allows attacker who successfully exploited this vulnerability, of which the product does not sufficiently restrict access to an internal database tables, could allow anybody with user credentials to bypass security controls that is enforced by the product. Consequently, exploitation may lead to unauthorized modifications on data/firmware, and/or to permanently disabling the product. This issue affects: Hitachi Energy Relion 670 Series 2.0 all revisions; 2.2.2 all revisions; 2.2.3 versions prior to 2.2.3.5. Hitachi Energy Relion 670/650 Series 2.1 all revisions. 2.2.0 all revisions; 2.2.4 all revisions; Hitachi Energy Relion 670/650/SAM600-IO 2.2.1 all revisions; 2.2.5 versions prior to 2.2.5.2. Hitachi Energy Relion 650 1.0 all revisions. 1.1 all revisions; 1.2 all revisions; 1.3 versions prior to 1.3.0.8; Hitachi Energy GMS600 1.3.0; 1.3.0.1; 1.2.0. Hitachi Energy PWC600 1.0.1 version 1.0.1.4 and prior versions; 1.1.0 version 1.1.0.1 and prior versions.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de control de seguridad insuficiente en el mecanismo de acceso a la base de datos interna de Hitachi Energy Relion 670/650/SAM600-IO, Relion 650, GMS600, PWC600, permite que un atacante que explote con \u00e9xito esta vulnerabilidad, de la que el producto no restringe suficientemente el acceso a las tablas de una base de datos interna, pueda permitir a cualquier persona con credenciales de usuario omitir los controles de seguridad que impone el producto. En consecuencia, una explotaci\u00f3n puede conllevar a modificaciones no autorizadas en los datos/firmware, y/o inhabilitar permanentemente el producto. Este problema afecta a: Hitachi Energy Relion 670 Series versiones 2.0 todas las revisiones; versiones 2.2.2 todas las revisiones; versiones 2.2.3 versiones anteriores a la 2.2.3.5. Hitachi Energy Relion 670/650 Series versiones 2.1 todas las revisiones. versiones 2.2.0 todas las revisiones; versiones 2.2.4 todas las revisiones; Hitachi Energy Relion 670/650/SAM600-IO versiones 2.2.1 todas las revisiones; versiones 2.2.5 versiones anteriores a la 2.2.5.2. Hitachi Energy Relion 650 versiones 1.0 todas las revisiones. versiones 1.1 todas las revisiones; versiones 1.2 todas las revisiones; versiones 1.3 versiones anteriores a la 1.3.0.8; Hitachi Energy GMS600 versiones 1.3.0; 1.3.0.1; 1.2.0. Hitachi Energy PWC600 versi\u00f3n 1.0.1 versi\u00f3n 1.0.1.4 y versiones anteriores; versi\u00f3n 1.1.0 versi\u00f3n 1.1.0.1 y versiones anteriores.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cybersecurity@hitachienergy.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:C/I:C/A:C\",\"baseScore\":9.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":8.0,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cybersecurity@hitachienergy.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-274\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-269\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hitachienergy:gms600_firmware:1.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8BD1DAF9-0CED-4670-B48B-54B86E2E318A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hitachienergy:gms600_firmware:1.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C54D374C-379B-4912-9330-30488C19F66C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hitachienergy:gms600_firmware:1.3.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8560EE29-37B4-4238-AFD8-783F32D4F269\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:hitachienergy:gms600:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CB13E178-8C41-4FDB-89AE-23D0A9930B94\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hitachienergy:relion_670_firmware:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"62884938-0849-4632-AAD7-6B996711F5C5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hitachienergy:relion_670_firmware:2.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1883F52C-A7A6-42EA-B157-FC878470FBA2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hitachienergy:relion_670_firmware:2.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"253E4EBE-5FF2-4910-B38B-5EADB40FB877\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hitachienergy:relion_670_firmware:2.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B91C1D5F-FE14-4121-A7C8-16F08D652610\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hitachienergy:relion_670_firmware:2.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A59F3E51-D3D5-4846-B8AA-6BAD4BCCCCE3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hitachienergy:relion_670_firmware:2.2.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E368A106-A236-4A42-8608-43F47EB4A2C4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hitachienergy:relion_670_firmware:2.2.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"29D2A64B-F136-49B8-9AF8-F8057F9227E0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hitachienergy:relion_670_firmware:2.2.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8F2F0B80-070C-4610-862B-346994BFEC51\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hitachienergy:relion_670_firmware:2.2.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"06064F73-366D-48C6-AACE-DCFC2F1B8E0E\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:hitachienergy:relion_670:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"ADA98332-543F-48A7-B63C-B39F679D47F0\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hitachienergy:relion_650_firmware:1.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5D4E5C6F-BA1C-4D8C-B47D-05276288CE73\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hitachienergy:relion_650_firmware:1.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"49A3609C-7E6D-437E-92D4-468B6B221D23\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hitachienergy:relion_650_firmware:1.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3AFF6B12-6F54-40AF-9F9F-5AA311BA9B8B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hitachienergy:relion_650_firmware:1.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9FE9C73D-76C1-4D26-8CD6-202E973FB30F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hitachienergy:relion_650_firmware:2.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0A79A86A-42DE-4BB4-96F5-5A841F5B4536\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hitachienergy:relion_650_firmware:2.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EA73DFC1-3953-48DB-BF8C-545BE5B7BFAD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hitachienergy:relion_650_firmware:2.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3A406AD0-38C5-4C32-AA88-AA45EE97C315\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hitachienergy:relion_650_firmware:2.2.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"48B56792-02FF-4E3E-B306-DC58FED37128\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hitachienergy:relion_650_firmware:2.2.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"22E5CD7F-CD9D-4E89-BF2F-944300121D11\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:hitachienergy:relion_650:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1C658029-20F4-411A-B1FE-B4E07D590775\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hitachienergy:relion_sam600-io_firmware:2.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DB5C50F4-CF04-4C13-868A-F7ECE49DE01B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hitachienergy:relion_sam600-io_firmware:2.2.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"698AED51-5521-4D9C-B2FA-F3D8526D9FB6\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:hitachienergy:relion_sam600-io:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E73E9D1A-1DFE-4B7C-81F1-0809071A3DDB\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hitachienergy:pwc600_firmware:1.0.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"654FC924-0DC2-457C-A23F-60B1E1C89FFF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hitachienergy:pwc600_firmware:1.0.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0DFCC47A-A66A-4DCA-AD80-EB5D65381012\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hitachienergy:pwc600_firmware:1.0.1.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9154F2F6-185C-436D-895B-0B3518505CFF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hitachienergy:pwc600_firmware:1.0.1.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7FA7AECE-9DC9-42B7-884C-F4F0866942B3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hitachienergy:pwc600_firmware:1.1.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F091EE96-07DB-4EF2-AABC-29C2E8DD58D8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:hitachienergy:pwc600_firmware:1.1.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"31C0E3ED-C4E3-4BF9-B5FF-9067BC2220EA\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:hitachienergy:pwc600:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C8CBFF7D-3B2E-4FA5-9E0C-15B78AFC8165\"}]}]}],\"references\":[{\"url\":\"https://search.abb.com/library/Download.aspx?DocumentID=8DBD000058\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\",\"source\":\"cybersecurity@hitachienergy.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://search.abb.com/library/Download.aspx?DocumentID=8DBD000059\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\",\"source\":\"cybersecurity@hitachienergy.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://search.abb.com/library/Download.aspx?DocumentID=8DBD000060\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\",\"source\":\"cybersecurity@hitachienergy.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://search.abb.com/library/Download.aspx?DocumentID=8DBD000058\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://search.abb.com/library/Download.aspx?DocumentID=8DBD000059\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://search.abb.com/library/Download.aspx?DocumentID=8DBD000060\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
FKIE_CVE-2021-35534
Vulnerability from fkie_nvd - Published: 2021-11-18 17:15 - Updated: 2024-11-21 06:12
Severity
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Insufficient security control vulnerability in internal database access mechanism of Hitachi Energy Relion 670/650/SAM600-IO, Relion 650, GMS600, PWC600 allows attacker who successfully exploited this vulnerability, of which the product does not sufficiently restrict access to an internal database tables, could allow anybody with user credentials to bypass security controls that is enforced by the product. Consequently, exploitation may lead to unauthorized modifications on data/firmware, and/or to permanently disabling the product. This issue affects: Hitachi Energy Relion 670 Series 2.0 all revisions; 2.2.2 all revisions; 2.2.3 versions prior to 2.2.3.5. Hitachi Energy Relion 670/650 Series 2.1 all revisions. 2.2.0 all revisions; 2.2.4 all revisions; Hitachi Energy Relion 670/650/SAM600-IO 2.2.1 all revisions; 2.2.5 versions prior to 2.2.5.2. Hitachi Energy Relion 650 1.0 all revisions. 1.1 all revisions; 1.2 all revisions; 1.3 versions prior to 1.3.0.8; Hitachi Energy GMS600 1.3.0; 1.3.0.1; 1.2.0. Hitachi Energy PWC600 1.0.1 version 1.0.1.4 and prior versions; 1.1.0 version 1.1.0.1 and prior versions.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:hitachienergy:gms600_firmware:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8BD1DAF9-0CED-4670-B48B-54B86E2E318A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:hitachienergy:gms600_firmware:1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C54D374C-379B-4912-9330-30488C19F66C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:hitachienergy:gms600_firmware:1.3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8560EE29-37B4-4238-AFD8-783F32D4F269",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:hitachienergy:gms600:-:*:*:*:*:*:*:*",
"matchCriteriaId": "CB13E178-8C41-4FDB-89AE-23D0A9930B94",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:hitachienergy:relion_670_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "62884938-0849-4632-AAD7-6B996711F5C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:hitachienergy:relion_670_firmware:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1883F52C-A7A6-42EA-B157-FC878470FBA2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:hitachienergy:relion_670_firmware:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "253E4EBE-5FF2-4910-B38B-5EADB40FB877",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:hitachienergy:relion_670_firmware:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B91C1D5F-FE14-4121-A7C8-16F08D652610",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:hitachienergy:relion_670_firmware:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A59F3E51-D3D5-4846-B8AA-6BAD4BCCCCE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:hitachienergy:relion_670_firmware:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E368A106-A236-4A42-8608-43F47EB4A2C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:hitachienergy:relion_670_firmware:2.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "29D2A64B-F136-49B8-9AF8-F8057F9227E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:hitachienergy:relion_670_firmware:2.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F2F0B80-070C-4610-862B-346994BFEC51",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:hitachienergy:relion_670_firmware:2.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "06064F73-366D-48C6-AACE-DCFC2F1B8E0E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:hitachienergy:relion_670:-:*:*:*:*:*:*:*",
"matchCriteriaId": "ADA98332-543F-48A7-B63C-B39F679D47F0",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:hitachienergy:relion_650_firmware:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5D4E5C6F-BA1C-4D8C-B47D-05276288CE73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:hitachienergy:relion_650_firmware:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49A3609C-7E6D-437E-92D4-468B6B221D23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:hitachienergy:relion_650_firmware:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3AFF6B12-6F54-40AF-9F9F-5AA311BA9B8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:hitachienergy:relion_650_firmware:1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9FE9C73D-76C1-4D26-8CD6-202E973FB30F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:hitachienergy:relion_650_firmware:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0A79A86A-42DE-4BB4-96F5-5A841F5B4536",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:hitachienergy:relion_650_firmware:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EA73DFC1-3953-48DB-BF8C-545BE5B7BFAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:hitachienergy:relion_650_firmware:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "3A406AD0-38C5-4C32-AA88-AA45EE97C315",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:hitachienergy:relion_650_firmware:2.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "48B56792-02FF-4E3E-B306-DC58FED37128",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:hitachienergy:relion_650_firmware:2.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "22E5CD7F-CD9D-4E89-BF2F-944300121D11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:hitachienergy:relion_650:-:*:*:*:*:*:*:*",
"matchCriteriaId": "1C658029-20F4-411A-B1FE-B4E07D590775",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:hitachienergy:relion_sam600-io_firmware:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DB5C50F4-CF04-4C13-868A-F7ECE49DE01B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:hitachienergy:relion_sam600-io_firmware:2.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "698AED51-5521-4D9C-B2FA-F3D8526D9FB6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:hitachienergy:relion_sam600-io:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E73E9D1A-1DFE-4B7C-81F1-0809071A3DDB",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:hitachienergy:pwc600_firmware:1.0.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "654FC924-0DC2-457C-A23F-60B1E1C89FFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:hitachienergy:pwc600_firmware:1.0.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0DFCC47A-A66A-4DCA-AD80-EB5D65381012",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:hitachienergy:pwc600_firmware:1.0.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "9154F2F6-185C-436D-895B-0B3518505CFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:hitachienergy:pwc600_firmware:1.0.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "7FA7AECE-9DC9-42B7-884C-F4F0866942B3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:hitachienergy:pwc600_firmware:1.1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F091EE96-07DB-4EF2-AABC-29C2E8DD58D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:hitachienergy:pwc600_firmware:1.1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "31C0E3ED-C4E3-4BF9-B5FF-9067BC2220EA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:hitachienergy:pwc600:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C8CBFF7D-3B2E-4FA5-9E0C-15B78AFC8165",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Insufficient security control vulnerability in internal database access mechanism of Hitachi Energy Relion 670/650/SAM600-IO, Relion 650, GMS600, PWC600 allows attacker who successfully exploited this vulnerability, of which the product does not sufficiently restrict access to an internal database tables, could allow anybody with user credentials to bypass security controls that is enforced by the product. Consequently, exploitation may lead to unauthorized modifications on data/firmware, and/or to permanently disabling the product. This issue affects: Hitachi Energy Relion 670 Series 2.0 all revisions; 2.2.2 all revisions; 2.2.3 versions prior to 2.2.3.5. Hitachi Energy Relion 670/650 Series 2.1 all revisions. 2.2.0 all revisions; 2.2.4 all revisions; Hitachi Energy Relion 670/650/SAM600-IO 2.2.1 all revisions; 2.2.5 versions prior to 2.2.5.2. Hitachi Energy Relion 650 1.0 all revisions. 1.1 all revisions; 1.2 all revisions; 1.3 versions prior to 1.3.0.8; Hitachi Energy GMS600 1.3.0; 1.3.0.1; 1.2.0. Hitachi Energy PWC600 1.0.1 version 1.0.1.4 and prior versions; 1.1.0 version 1.1.0.1 and prior versions."
},
{
"lang": "es",
"value": "Una vulnerabilidad de control de seguridad insuficiente en el mecanismo de acceso a la base de datos interna de Hitachi Energy Relion 670/650/SAM600-IO, Relion 650, GMS600, PWC600, permite que un atacante que explote con \u00e9xito esta vulnerabilidad, de la que el producto no restringe suficientemente el acceso a las tablas de una base de datos interna, pueda permitir a cualquier persona con credenciales de usuario omitir los controles de seguridad que impone el producto. En consecuencia, una explotaci\u00f3n puede conllevar a modificaciones no autorizadas en los datos/firmware, y/o inhabilitar permanentemente el producto. Este problema afecta a: Hitachi Energy Relion 670 Series versiones 2.0 todas las revisiones; versiones 2.2.2 todas las revisiones; versiones 2.2.3 versiones anteriores a la 2.2.3.5. Hitachi Energy Relion 670/650 Series versiones 2.1 todas las revisiones. versiones 2.2.0 todas las revisiones; versiones 2.2.4 todas las revisiones; Hitachi Energy Relion 670/650/SAM600-IO versiones 2.2.1 todas las revisiones; versiones 2.2.5 versiones anteriores a la 2.2.5.2. Hitachi Energy Relion 650 versiones 1.0 todas las revisiones. versiones 1.1 todas las revisiones; versiones 1.2 todas las revisiones; versiones 1.3 versiones anteriores a la 1.3.0.8; Hitachi Energy GMS600 versiones 1.3.0; 1.3.0.1; 1.2.0. Hitachi Energy PWC600 versi\u00f3n 1.0.1 versi\u00f3n 1.0.1.4 y versiones anteriores; versi\u00f3n 1.1.0 versi\u00f3n 1.1.0.1 y versiones anteriores."
}
],
"id": "CVE-2021-35534",
"lastModified": "2024-11-21T06:12:27.813",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "cybersecurity@hitachienergy.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-11-18T17:15:08.397",
"references": [
{
"source": "cybersecurity@hitachienergy.com",
"tags": [
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000058\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"source": "cybersecurity@hitachienergy.com",
"tags": [
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000059\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"source": "cybersecurity@hitachienergy.com",
"tags": [
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000060\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000058\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000059\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000060\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"sourceIdentifier": "cybersecurity@hitachienergy.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-274"
}
],
"source": "cybersecurity@hitachienergy.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-72PF-J5FJ-GG32
Vulnerability from github – Published: 2021-11-19 00:00 – Updated: 2022-10-27 19:00
VLAI
Details
Insufficient security control vulnerability in internal database access mechanism of Hitachi Energy Relion 670/650/SAM600-IO, Relion 650, GMS600, PWC600 allows attacker who successfully exploited this vulnerability, of which the product does not sufficiently restrict access to an internal database tables, could allow anybody with user credentials to bypass security controls that is enforced by the product. Consequently, exploitation may lead to unauthorized modifications on data/firmware, and/or to permanently disabling the product. This issue affects: Hitachi Energy Relion 670 Series 2.0 all revisions; 2.2.2 all revisions; 2.2.3 versions prior to 2.2.3.5. Hitachi Energy Relion 670/650 Series 2.1 all revisions. 2.2.0 all revisions; 2.2.4 all revisions; Hitachi Energy Relion 670/650/SAM600-IO 2.2.1 all revisions; 2.2.5 versions prior to 2.2.5.2. Hitachi Energy Relion 650 1.0 all revisions. 1.1 all revisions; 1.2 all revisions; 1.3 versions prior to 1.3.0.8; Hitachi Energy GMS600 1.3.0; 1.3.0.1; 1.2.0. Hitachi Energy PWC600 1.0.1 version 1.0.1.4 and prior versions; 1.1.0 version 1.1.0.1 and prior versions.
Severity
7.2 (High)
{
"affected": [],
"aliases": [
"CVE-2021-35534"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-274",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-18T17:15:00Z",
"severity": "HIGH"
},
"details": "Insufficient security control vulnerability in internal database access mechanism of Hitachi Energy Relion 670/650/SAM600-IO, Relion 650, GMS600, PWC600 allows attacker who successfully exploited this vulnerability, of which the product does not sufficiently restrict access to an internal database tables, could allow anybody with user credentials to bypass security controls that is enforced by the product. Consequently, exploitation may lead to unauthorized modifications on data/firmware, and/or to permanently disabling the product. This issue affects: Hitachi Energy Relion 670 Series 2.0 all revisions; 2.2.2 all revisions; 2.2.3 versions prior to 2.2.3.5. Hitachi Energy Relion 670/650 Series 2.1 all revisions. 2.2.0 all revisions; 2.2.4 all revisions; Hitachi Energy Relion 670/650/SAM600-IO 2.2.1 all revisions; 2.2.5 versions prior to 2.2.5.2. Hitachi Energy Relion 650 1.0 all revisions. 1.1 all revisions; 1.2 all revisions; 1.3 versions prior to 1.3.0.8; Hitachi Energy GMS600 1.3.0; 1.3.0.1; 1.2.0. Hitachi Energy PWC600 1.0.1 version 1.0.1.4 and prior versions; 1.1.0 version 1.1.0.1 and prior versions.",
"id": "GHSA-72pf-j5fj-gg32",
"modified": "2022-10-27T19:00:29Z",
"published": "2021-11-19T00:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35534"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000058\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000059\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000060\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GSD-2021-35534
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
Insufficient security control vulnerability in internal database access mechanism of Hitachi Energy Relion 670/650/SAM600-IO, Relion 650, GMS600, PWC600 allows attacker who successfully exploited this vulnerability, of which the product does not sufficiently restrict access to an internal database tables, could allow anybody with user credentials to bypass security controls that is enforced by the product. Consequently, exploitation may lead to unauthorized modifications on data/firmware, and/or to permanently disabling the product. This issue affects: Hitachi Energy Relion 670 Series 2.0 all revisions; 2.2.2 all revisions; 2.2.3 versions prior to 2.2.3.5. Hitachi Energy Relion 670/650 Series 2.1 all revisions. 2.2.0 all revisions; 2.2.4 all revisions; Hitachi Energy Relion 670/650/SAM600-IO 2.2.1 all revisions; 2.2.5 versions prior to 2.2.5.2. Hitachi Energy Relion 650 1.0 all revisions. 1.1 all revisions; 1.2 all revisions; 1.3 versions prior to 1.3.0.8; Hitachi Energy GMS600 1.3.0; 1.3.0.1; 1.2.0. Hitachi Energy PWC600 1.0.1 version 1.0.1.4 and prior versions; 1.1.0 version 1.1.0.1 and prior versions.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-35534",
"description": "Insufficient security control vulnerability in internal database access mechanism of Hitachi Energy Relion 670/650/SAM600-IO, Relion 650, GMS600, PWC600 allows attacker who successfully exploited this vulnerability, of which the product does not sufficiently restrict access to an internal database tables, could allow anybody with user credentials to bypass security controls that is enforced by the product. Consequently, exploitation may lead to unauthorized modifications on data/firmware, and/or to permanently disabling the product. This issue affects: Hitachi Energy Relion 670 Series 2.0 all revisions; 2.2.2 all revisions; 2.2.3 versions prior to 2.2.3.5. Hitachi Energy Relion 670/650 Series 2.1 all revisions. 2.2.0 all revisions; 2.2.4 all revisions; Hitachi Energy Relion 670/650/SAM600-IO 2.2.1 all revisions; 2.2.5 versions prior to 2.2.5.2. Hitachi Energy Relion 650 1.0 all revisions. 1.1 all revisions; 1.2 all revisions; 1.3 versions prior to 1.3.0.8; Hitachi Energy GMS600 1.3.0; 1.3.0.1; 1.2.0. Hitachi Energy PWC600 1.0.1 version 1.0.1.4 and prior versions; 1.1.0 version 1.1.0.1 and prior versions.",
"id": "GSD-2021-35534"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-35534"
],
"details": "Insufficient security control vulnerability in internal database access mechanism of Hitachi Energy Relion 670/650/SAM600-IO, Relion 650, GMS600, PWC600 allows attacker who successfully exploited this vulnerability, of which the product does not sufficiently restrict access to an internal database tables, could allow anybody with user credentials to bypass security controls that is enforced by the product. Consequently, exploitation may lead to unauthorized modifications on data/firmware, and/or to permanently disabling the product. This issue affects: Hitachi Energy Relion 670 Series 2.0 all revisions; 2.2.2 all revisions; 2.2.3 versions prior to 2.2.3.5. Hitachi Energy Relion 670/650 Series 2.1 all revisions. 2.2.0 all revisions; 2.2.4 all revisions; Hitachi Energy Relion 670/650/SAM600-IO 2.2.1 all revisions; 2.2.5 versions prior to 2.2.5.2. Hitachi Energy Relion 650 1.0 all revisions. 1.1 all revisions; 1.2 all revisions; 1.3 versions prior to 1.3.0.8; Hitachi Energy GMS600 1.3.0; 1.3.0.1; 1.2.0. Hitachi Energy PWC600 1.0.1 version 1.0.1.4 and prior versions; 1.1.0 version 1.1.0.1 and prior versions.",
"id": "GSD-2021-35534",
"modified": "2023-12-13T01:23:28.256782Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@hitachienergy.com",
"DATE_PUBLIC": "2021-11-04T11:00:00.000Z",
"ID": "CVE-2021-35534",
"STATE": "PUBLIC",
"TITLE": "Insufficient Security Control Vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Relion 670 Series",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "2.0",
"version_value": "2.0 all revisions"
},
{
"version_affected": "=",
"version_name": "2.2.2",
"version_value": "2.2.2 all revisions"
},
{
"version_affected": "\u003c",
"version_name": "2.2.3",
"version_value": "2.2.3.5"
}
]
}
},
{
"product_name": "Relion 670/650 Series",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "2.2.0",
"version_value": "2.2.0 all revisions"
},
{
"version_affected": "=",
"version_name": "2.2.4",
"version_value": "2.2.4 all revisions"
},
{
"version_affected": "=",
"version_name": "2.1",
"version_value": "2.1 all revisions"
}
]
}
},
{
"product_name": "Relion 670/650/SAM600-IO",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "2.2.1",
"version_value": "2.2.1 all revisions"
},
{
"version_affected": "\u003c",
"version_name": "2.2.5",
"version_value": "2.2.5.2"
}
]
}
},
{
"product_name": "Relion 650",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "1.1",
"version_value": "1.1 all revisions"
},
{
"version_affected": "=",
"version_name": "1.2",
"version_value": "1.2 all revisions"
},
{
"version_affected": "\u003c",
"version_name": "1.3",
"version_value": "1.3.0.8"
},
{
"version_name": "1.0",
"version_value": "1.0 all revisions"
}
]
}
},
{
"product_name": "GMS600",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "1.3.0",
"version_value": "1.3.0"
},
{
"version_affected": "=",
"version_name": "1.3.1.0",
"version_value": "1.3.0.1"
},
{
"version_affected": "=",
"version_name": "1.2.0",
"version_value": "1.2.0"
}
]
}
},
{
"product_name": "PWC600",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.0.1",
"version_value": "1.0.1.4"
},
{
"version_affected": "\u003c=",
"version_name": "1.1.0",
"version_value": "1.1.0.1"
}
]
}
}
]
},
"vendor_name": "Hitachi Energy"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Hitachi Energy thanks the following for working with us to help protect customers: U.S. Department of Energy CyTRICS researcher Robert Erbes."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Insufficient security control vulnerability in internal database access mechanism of Hitachi Energy Relion 670/650/SAM600-IO, Relion 650, GMS600, PWC600 allows attacker who successfully exploited this vulnerability, of which the product does not sufficiently restrict access to an internal database tables, could allow anybody with user credentials to bypass security controls that is enforced by the product. Consequently, exploitation may lead to unauthorized modifications on data/firmware, and/or to permanently disabling the product. This issue affects: Hitachi Energy Relion 670 Series 2.0 all revisions; 2.2.2 all revisions; 2.2.3 versions prior to 2.2.3.5. Hitachi Energy Relion 670/650 Series 2.1 all revisions. 2.2.0 all revisions; 2.2.4 all revisions; Hitachi Energy Relion 670/650/SAM600-IO 2.2.1 all revisions; 2.2.5 versions prior to 2.2.5.2. Hitachi Energy Relion 650 1.0 all revisions. 1.1 all revisions; 1.2 all revisions; 1.3 versions prior to 1.3.0.8; Hitachi Energy GMS600 1.3.0; 1.3.0.1; 1.2.0. Hitachi Energy PWC600 1.0.1 version 1.0.1.4 and prior versions; 1.1.0 version 1.1.0.1 and prior versions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-274 Improper Handling of Insufficient Privileges"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000058\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
"refsource": "CONFIRM",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000058\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"name": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000059\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
"refsource": "CONFIRM",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000059\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"name": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000060\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
"refsource": "CONFIRM",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000060\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
]
},
"solution": [
{
"lang": "eng",
"value": "Refer to the cybersecurity advisories at https://www.hitachienergy.com/cybersecurity/alerts-and-notifications"
}
],
"source": {
"discovery": "EXTERNAL"
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:hitachienergy:gms600_firmware:1.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:hitachienergy:gms600_firmware:1.3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:hitachienergy:gms600_firmware:1.3.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:hitachienergy:gms600:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:hitachienergy:relion_670_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:hitachienergy:relion_670_firmware:2.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:hitachienergy:relion_670_firmware:2.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:hitachienergy:relion_670_firmware:2.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:hitachienergy:relion_670_firmware:2.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:hitachienergy:relion_670_firmware:2.2.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:hitachienergy:relion_670_firmware:2.2.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:hitachienergy:relion_670_firmware:2.2.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:hitachienergy:relion_670_firmware:2.2.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:hitachienergy:relion_670:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:hitachienergy:relion_650_firmware:1.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:hitachienergy:relion_650_firmware:1.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:hitachienergy:relion_650_firmware:1.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:hitachienergy:relion_650_firmware:1.3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:hitachienergy:relion_650_firmware:2.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:hitachienergy:relion_650_firmware:2.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:hitachienergy:relion_650_firmware:2.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:hitachienergy:relion_650_firmware:2.2.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:hitachienergy:relion_650_firmware:2.2.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:hitachienergy:relion_650:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:hitachienergy:relion_sam600-io_firmware:2.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:hitachienergy:relion_sam600-io_firmware:2.2.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:hitachienergy:relion_sam600-io:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:hitachienergy:pwc600_firmware:1.0.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:hitachienergy:pwc600_firmware:1.0.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:hitachienergy:pwc600_firmware:1.0.1.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:hitachienergy:pwc600_firmware:1.0.1.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:hitachienergy:pwc600_firmware:1.1.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:hitachienergy:pwc600_firmware:1.1.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:hitachienergy:pwc600:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@hitachienergy.com",
"ID": "CVE-2021-35534"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Insufficient security control vulnerability in internal database access mechanism of Hitachi Energy Relion 670/650/SAM600-IO, Relion 650, GMS600, PWC600 allows attacker who successfully exploited this vulnerability, of which the product does not sufficiently restrict access to an internal database tables, could allow anybody with user credentials to bypass security controls that is enforced by the product. Consequently, exploitation may lead to unauthorized modifications on data/firmware, and/or to permanently disabling the product. This issue affects: Hitachi Energy Relion 670 Series 2.0 all revisions; 2.2.2 all revisions; 2.2.3 versions prior to 2.2.3.5. Hitachi Energy Relion 670/650 Series 2.1 all revisions. 2.2.0 all revisions; 2.2.4 all revisions; Hitachi Energy Relion 670/650/SAM600-IO 2.2.1 all revisions; 2.2.5 versions prior to 2.2.5.2. Hitachi Energy Relion 650 1.0 all revisions. 1.1 all revisions; 1.2 all revisions; 1.3 versions prior to 1.3.0.8; Hitachi Energy GMS600 1.3.0; 1.3.0.1; 1.2.0. Hitachi Energy PWC600 1.0.1 version 1.0.1.4 and prior versions; 1.1.0 version 1.1.0.1 and prior versions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000059\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000059\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"name": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000058\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000058\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"name": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000060\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000060\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9
}
},
"lastModifiedDate": "2023-04-19T15:32Z",
"publishedDate": "2021-11-18T17:15Z"
}
}
}
ICSA-21-343-01
Vulnerability from csaf_cisa - Published: 2021-12-09 00:00 - Updated: 2021-12-09 00:00Summary
Hitachi Energy GMS600, PWC600, and Relion
Notes
CISA Disclaimer: This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov
Legal Notice: All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Update Summary: This updated advisory is a follow-up to the original advisory titled ICSA-21-343-01 Hitachi Energy GMS600, PWC600, and Relion that was published December 9, 2021, on the ICS webpage at cisa.gov/ics.
Risk evaluation: Successful exploitation of this vulnerability could allow an attacker with user credentials to bypass security controls enforced by the product, which may lead to unauthorized modifications on data/firmware, and/or permanent disabling of the product.
Critical infrastructure sectors: Multiple Sectors
Countries/areas deployed: Worldwide
Company headquarters location: Switzerland
Recommended Practices: CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet; Locate control system networks and remote devices behind firewalls and isolate them from the business network; When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.
Recommended Practices: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Recommended Practices: Locate control system networks and remote devices behind firewalls and isolate them from business networks.
Recommended Practices: When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.
Recommended Practices: CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Recommended Practices: CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices: Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Recommended Practices: Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
Recommended Practices: No known public exploits specifically target this vulnerability.
7.2 (High)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
PWC600: Version 1.0.1.0
Hitachi Energy / PWC600
|
1.0.1.0 |
Mitigation
Mitigation
Vendor Fix
Vendor Fix
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
fix
Mitigation
fix
|
|
|
Relion 650 series: Version 1.2 all revisions
Hitachi Energy / Relion 650 series
|
1.2 * |
Mitigation
Mitigation
Vendor Fix
Vendor Fix
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
fix
Mitigation
fix
|
|
|
Relion 650 series: Version 1.3 all revisions
Hitachi Energy / Relion 650 series
|
1.3 * |
Mitigation
Mitigation
Vendor Fix
Vendor Fix
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
fix
Mitigation
fix
|
|
|
GMS600: Version 1.3.0
Hitachi Energy / GMS600
|
1.3.0 |
Mitigation
Mitigation
Vendor Fix
Vendor Fix
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
fix
Mitigation
fix
|
|
|
Relion 670/650 series: Version 2.2.0 all revisions
Hitachi Energy / Relion 670/650 series
|
2.2.0 * |
Mitigation
Mitigation
Vendor Fix
Vendor Fix
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
fix
Mitigation
fix
|
|
|
PWC600: Version 1.0.1.1
Hitachi Energy / PWC600
|
1.0.1.1 |
Mitigation
Mitigation
Vendor Fix
Vendor Fix
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
fix
Mitigation
fix
|
|
|
Relion 670/650/SAM600-IO series: Version 2.2.1 all revisions
Hitachi Energy / Relion 670/650/SAM600-IO series
|
2.2.1 * |
Mitigation
Mitigation
Vendor Fix
Vendor Fix
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
fix
Mitigation
fix
|
|
|
PWC600: Version 1.0.1.3
Hitachi Energy / PWC600
|
1.0.1.3 |
Mitigation
Mitigation
Vendor Fix
Vendor Fix
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
fix
Mitigation
fix
|
|
|
PWC600: Version 1.1.0.1
Hitachi Energy / PWC600
|
1.1.0.1 |
Mitigation
Mitigation
Vendor Fix
Vendor Fix
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
fix
Mitigation
fix
|
|
|
Relion 650 series: Version 1.0 all revisions
Hitachi Energy / Relion 650 series
|
1.0 * |
Mitigation
Mitigation
Vendor Fix
Vendor Fix
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
fix
Mitigation
fix
|
|
|
Relion 670/650 series: Version 2.1 all revisions
Hitachi Energy / Relion 670/650 series
|
2.1 * |
Mitigation
Mitigation
Vendor Fix
Vendor Fix
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
fix
Mitigation
fix
|
|
|
Relion 670 series: Version 2.2.2 all revisions
Hitachi Energy / Relion 670 series
|
2.2.2 * |
Mitigation
Mitigation
Vendor Fix
Vendor Fix
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
fix
Mitigation
fix
|
|
|
Relion 670 series: Version 2.2.3 revisions up to 2.2.3.4
Hitachi Energy / Relion 670 series
|
>= 2.2.3 | <= 2.2.3.4 |
Mitigation
Mitigation
Vendor Fix
Vendor Fix
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
fix
Mitigation
fix
|
|
|
Relion 670/650 series: Version 2.2.4 all revisions
Hitachi Energy / Relion 670/650 series
|
2.2.4 * |
Mitigation
Mitigation
Vendor Fix
Vendor Fix
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
fix
Mitigation
fix
|
|
|
Relion 670/650/SAM600-IO series: Version 2.2.5 revisions up to 2.2.5.1
Hitachi Energy / Relion 670/650/SAM600-IO series
|
2.2.5 <= 2.2.5.1 |
Mitigation
Mitigation
Vendor Fix
Vendor Fix
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
fix
Mitigation
fix
|
|
|
PWC600: Version 1.0.1.4
Hitachi Energy / PWC600
|
1.0.1.4 |
Mitigation
Mitigation
Vendor Fix
Vendor Fix
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
fix
Mitigation
fix
|
|
|
Relion 670 series: Version 2.0 all revisions
Hitachi Energy / Relion 670 series
|
2.0 * |
Mitigation
Mitigation
Vendor Fix
Vendor Fix
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
fix
Mitigation
fix
|
|
|
GMS600: Version 1.3.1.0
Hitachi Energy / GMS600
|
1.3.1.0 |
Mitigation
Mitigation
Vendor Fix
Vendor Fix
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
fix
Mitigation
fix
|
|
|
GMS600: Version 1.2.0
Hitachi Energy / GMS600
|
1.2.0 |
Mitigation
Mitigation
Vendor Fix
Vendor Fix
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
fix
Mitigation
fix
|
|
|
PWC600: Version 1.1.0.0
Hitachi Energy / PWC600
|
1.1.0.0 |
Mitigation
Mitigation
Vendor Fix
Vendor Fix
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
fix
Mitigation
fix
|
|
|
Relion 650 series: Version 1.1 all revisions
Hitachi Energy / Relion 650 series
|
1.1 * |
Mitigation
Mitigation
Vendor Fix
Vendor Fix
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
Mitigation
fix
Mitigation
fix
|
References
7 references
Acknowledgments
Idaho National Laboratory
an anonymous party
Department of Energy
{
"document": {
"acknowledgments": [
{
"names": [
"an anonymous party"
],
"organization": "Idaho National Laboratory",
"summary": "reporting this vulnerability to Hitachi Energy"
},
{
"organization": "Department of Energy",
"summary": "reporting this vulnerability to Hitachi Energy"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://us-cert.cisa.gov/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
"title": "CISA Disclaimer"
},
{
"category": "legal_disclaimer",
"text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
"title": "Legal Notice"
},
{
"category": "summary",
"text": "This updated advisory is a follow-up to the original advisory titled ICSA-21-343-01 Hitachi Energy GMS600, PWC600, and Relion that was published December 9, 2021, on the ICS webpage at cisa.gov/ics.",
"title": "Update Summary"
},
{
"category": "summary",
"text": "Successful exploitation of this vulnerability could allow an attacker with user credentials to bypass security controls enforced by the product, which may lead to unauthorized modifications on data/firmware, and/or permanent disabling of the product.",
"title": "Risk evaluation"
},
{
"category": "other",
"text": "Multiple Sectors",
"title": "Critical infrastructure sectors"
},
{
"category": "other",
"text": "Worldwide",
"title": "Countries/areas deployed"
},
{
"category": "other",
"text": "Switzerland",
"title": "Company headquarters location"
},
{
"category": "general",
"text": "CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet; Locate control system networks and remote devices behind firewalls and isolate them from the business network; When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Locate control system networks and remote devices behind firewalls and isolate them from business networks.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "No known public exploits specifically target this vulnerability.",
"title": "Recommended Practices"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "ICS Advisory ICSA-21-343-01 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2021/icsa-21-343-01.json"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-21-343-01 Web Version",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-21-343-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://us-cert.cisa.gov/ics/Recommended-Practices"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://cisa.gov/ics"
}
],
"title": "Hitachi Energy GMS600, PWC600, and Relion",
"tracking": {
"current_release_date": "2021-12-09T00:00:00.000000Z",
"generator": {
"engine": {
"name": "CISA CSAF Generator",
"version": "1.0.0"
}
},
"id": "ICSA-21-343-01",
"initial_release_date": "2021-12-09T00:00:00.000000Z",
"revision_history": [
{
"date": "2021-12-09T00:00:00.000000Z",
"legacy_version": "Initial",
"number": "1",
"summary": "ICSA-21-343-01 Hitachi Energy GMS600, PWC600, and Relion"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "1.0.1.0",
"product": {
"name": "PWC600: Version 1.0.1.0",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "PWC600"
},
{
"branches": [
{
"category": "product_version",
"name": "1.2 *",
"product": {
"name": "Relion 650 series: Version 1.2 all revisions",
"product_id": "CSAFPID-0002"
}
}
],
"category": "product_name",
"name": "Relion 650 series"
},
{
"branches": [
{
"category": "product_version",
"name": "1.3 *",
"product": {
"name": "Relion 650 series: Version 1.3 all revisions",
"product_id": "CSAFPID-0003"
}
}
],
"category": "product_name",
"name": "Relion 650 series"
},
{
"branches": [
{
"category": "product_version",
"name": "1.3.0",
"product": {
"name": "GMS600: Version 1.3.0",
"product_id": "CSAFPID-0004"
}
}
],
"category": "product_name",
"name": "GMS600"
},
{
"branches": [
{
"category": "product_version",
"name": "2.2.0 *",
"product": {
"name": "Relion 670/650 series: Version 2.2.0 all revisions",
"product_id": "CSAFPID-0005"
}
}
],
"category": "product_name",
"name": "Relion 670/650 series"
},
{
"branches": [
{
"category": "product_version",
"name": "1.0.1.1",
"product": {
"name": "PWC600: Version 1.0.1.1",
"product_id": "CSAFPID-0006"
}
}
],
"category": "product_name",
"name": "PWC600"
},
{
"branches": [
{
"category": "product_version",
"name": "2.2.1 *",
"product": {
"name": "Relion 670/650/SAM600-IO series: Version 2.2.1 all revisions",
"product_id": "CSAFPID-0007"
}
}
],
"category": "product_name",
"name": "Relion 670/650/SAM600-IO series"
},
{
"branches": [
{
"category": "product_version",
"name": "1.0.1.3",
"product": {
"name": "PWC600: Version 1.0.1.3",
"product_id": "CSAFPID-0008"
}
}
],
"category": "product_name",
"name": "PWC600"
},
{
"branches": [
{
"category": "product_version",
"name": "1.1.0.1",
"product": {
"name": "PWC600: Version 1.1.0.1",
"product_id": "CSAFPID-0009"
}
}
],
"category": "product_name",
"name": "PWC600"
},
{
"branches": [
{
"category": "product_version",
"name": "1.0 *",
"product": {
"name": "Relion 650 series: Version 1.0 all revisions",
"product_id": "CSAFPID-00010"
}
}
],
"category": "product_name",
"name": "Relion 650 series"
},
{
"branches": [
{
"category": "product_version",
"name": "2.1 *",
"product": {
"name": "Relion 670/650 series: Version 2.1 all revisions",
"product_id": "CSAFPID-00011"
}
}
],
"category": "product_name",
"name": "Relion 670/650 series"
},
{
"branches": [
{
"category": "product_version",
"name": "2.2.2 *",
"product": {
"name": "Relion 670 series: Version 2.2.2 all revisions",
"product_id": "CSAFPID-00012"
}
}
],
"category": "product_name",
"name": "Relion 670 series"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e= 2.2.3 | \u003c= 2.2.3.4",
"product": {
"name": "Relion 670 series: Version 2.2.3 revisions up to 2.2.3.4",
"product_id": "CSAFPID-00013"
}
}
],
"category": "product_name",
"name": "Relion 670 series"
},
{
"branches": [
{
"category": "product_version",
"name": "2.2.4 *",
"product": {
"name": "Relion 670/650 series: Version 2.2.4 all revisions",
"product_id": "CSAFPID-00014"
}
}
],
"category": "product_name",
"name": "Relion 670/650 series"
},
{
"branches": [
{
"category": "product_version_range",
"name": "2.2.5 \u003c= 2.2.5.1",
"product": {
"name": "Relion 670/650/SAM600-IO series: Version 2.2.5 revisions up to 2.2.5.1",
"product_id": "CSAFPID-00015"
}
}
],
"category": "product_name",
"name": "Relion 670/650/SAM600-IO series"
},
{
"branches": [
{
"category": "product_version",
"name": "1.0.1.4",
"product": {
"name": "PWC600: Version 1.0.1.4",
"product_id": "CSAFPID-00016"
}
}
],
"category": "product_name",
"name": "PWC600"
},
{
"branches": [
{
"category": "product_version",
"name": "2.0 *",
"product": {
"name": "Relion 670 series: Version 2.0 all revisions",
"product_id": "CSAFPID-00017"
}
}
],
"category": "product_name",
"name": "Relion 670 series"
},
{
"branches": [
{
"category": "product_version",
"name": "1.3.1.0",
"product": {
"name": "GMS600: Version 1.3.1.0",
"product_id": "CSAFPID-00018"
}
}
],
"category": "product_name",
"name": "GMS600"
},
{
"branches": [
{
"category": "product_version",
"name": "1.2.0",
"product": {
"name": "GMS600: Version 1.2.0",
"product_id": "CSAFPID-00019"
}
}
],
"category": "product_name",
"name": "GMS600"
},
{
"branches": [
{
"category": "product_version",
"name": "1.1.0.0",
"product": {
"name": "PWC600: Version 1.1.0.0",
"product_id": "CSAFPID-00020"
}
}
],
"category": "product_name",
"name": "PWC600"
},
{
"branches": [
{
"category": "product_version",
"name": "1.1 *",
"product": {
"name": "Relion 650 series: Version 1.1 all revisions",
"product_id": "CSAFPID-00021"
}
}
],
"category": "product_name",
"name": "Relion 650 series"
}
],
"category": "vendor",
"name": "Hitachi Energy"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-35534",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"notes": [
{
"category": "summary",
"text": "An attacker could exploit this vulnerability by first gaining access to credentials of any account or have access to a session ticket issued for an account. After gaining access via the configuration tool that accesses the proprietary Open Data-base Connectivity (ODBC) protocol (TCP 2102), the database table can be manipulated for privilege escalation, which then allows unauthorized modification or permanent disabling of the device. CVE-2021-35534 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).",
"title": "Vulnerability Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021"
]
},
"references": [
{
"category": "external",
"summary": "web.nvd.nist.gov",
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35534"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "mitigation",
"details": "Relion 670 series Version 2.2.3: Update to Version 2.2.3.5",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021"
]
},
{
"category": "mitigation",
"details": "Relion 670/650/SAM600-IO series Version 2.2.5: Update to Version 2.2.5.2",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021"
]
},
{
"category": "vendor_fix",
"details": "Relion 650 series Version 1.3: Update to Version 1.3.0.8",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021"
]
},
{
"category": "vendor_fix",
"details": "Relion 650 series Version 1.2: Update to Version 1.3",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021"
]
},
{
"category": "mitigation",
"details": "For other affected versions, please follow mitigation factors in Hitachi Energy\u0027s advisories. Hitachi Energy recommends the following security practices and firewall configurations to help protect process control networks from attacks that originate from outside the network: Physically protect process control systems from direct access by unauthorized personnel.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021"
]
},
{
"category": "mitigation",
"details": "Do not directly connect to the Internet.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021"
]
},
{
"category": "mitigation",
"details": "Separate from other networks by means of a firewall system that has a minimal number of ports exposed.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021"
]
},
{
"category": "mitigation",
"details": "Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021"
]
},
{
"category": "mitigation",
"details": "Limit open database connectivity (ODBC) protocol for device configuration within the substation only.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021"
]
},
{
"category": "mitigation",
"details": "Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021"
]
},
{
"category": "mitigation",
"details": "For additional information and support please contact your product provider or Hitachi Energy service organization. For contact information, visit Hitachi Energy contact-centers.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021"
],
"url": "https://www.hitachienergy.com/contact-us/"
},
{
"category": "mitigation",
"details": "Please see the Hitachi Energy PWC600, GMS600, and Relion advisories for additional mitigation and update information.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000060\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007",
"CSAFPID-0008",
"CSAFPID-0009",
"CSAFPID-00010",
"CSAFPID-00011",
"CSAFPID-00012",
"CSAFPID-00013",
"CSAFPID-00014",
"CSAFPID-00015",
"CSAFPID-00016",
"CSAFPID-00017",
"CSAFPID-00018",
"CSAFPID-00019",
"CSAFPID-00020",
"CSAFPID-00021"
]
}
]
}
]
}
ICSA-25-065-02
Vulnerability from csaf_cisa - Published: 2021-11-04 13:30 - Updated: 2025-02-25 13:30Summary
Hitachi Energy Relion 670/650/SAM600-IO
Severity
High
Notes
Summary: Hitachi Energy is aware of a vulnerability report from U.S. Department of Energy CyTRICS researcher of a vulnerability in the Relion® 670/650/SAM600-IO series versions listed below. Remediation is available for some versions. Recommended actions for each affected version are listed in the Recommended Immediate Actions
Section.
An attacker who successfully exploited this vulnerability, of which the product does not sufficiently restrict access to internal database tables, could allow anybody with user credentials to bypass security controls that is enforced by the product. Consequently, exploitation may lead to unauthorized modifications on data/firmware, and/or to permanently disabling the product.
Notice: The information in this document is subject to change without notice and should not be construed as a commitment by Hitachi Energy. Hitachi Energy provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall Hitachi Energy or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if Hitachi Energy or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from Hitachi Energy and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners.
Support: For additional information and support please contact your product provider or Hitachi Energy service organization. For contact information, see https://www.hitachienergy.com/contact-us/ for Hitachi Energy contact-centers.
General Mitigation Factors: Recommended security practices and firewall configurations can help protect a process control network from attacks that originate from outside the network. Such practices include that process control systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed, and others that have to be evaluated case by case. For instance, Open Database Connectivity (ODBC) protocol that is used for device configuration should be limited within the substation only.
Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.
Legal Notice: All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Advisory Conversion Disclaimer: This CISA CSAF advisory was converted from Hitachi Energy PSIRT's CSAF advisory.
Critical infrastructure sectors: Multiple
Countries/areas deployed: Worldwide
Company headquarters location: Switzerland
Recommended Practices: CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities.
Recommended Practices: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.
Recommended Practices: Locate control system networks and remote devices behind firewalls and isolate them from business networks.
Recommended Practices: When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.
Recommended Practices: CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Recommended Practices: CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices: CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Recommended Practices: Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
A vulnerability exists in the database schema inside the product. An attacker could exploit the vulnerability by first gaining access to credentials of any account or to have access to a session ticket issued for an account. After that, via the configuration tool that accesses the proprietary Open Database Connectivity (ODBC) protocol (TCP 2102), the database table can be manipulated for privilege escalation which then allowed unauthorized modification or to permanently disabling of the device.
7.2 (High)
Affected products
Known affected
19 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Hitachi Energy Relion 670 series version 2.0.0 revisions up to 2.0.0.13
Hitachi Energy / Relion 670 series
|
>=2.0.0.0|<=2.0.0.14 |
Vendor Fix
|
|
|
Hitachi Energy Relion 670 series version 2.1.0 revisions up to 2.1.0.4
Hitachi Energy / Relion 670 series
|
>=2.1.0.0|<=2.1.0.4 |
Vendor Fix
|
|
|
Hitachi Energy Relion 670 series version 2.2.0 all revisions
Hitachi Energy / Relion 670 series
|
>=2.2.0.0|<2.2.1 |
Mitigation
|
|
|
Hitachi Energy Relion 670 series version 2.2.1 revisions up to 2.2.1.7
Hitachi Energy / Relion 670 series
|
>=2.2.1.0|<=2.2.1.7 |
Vendor Fix
|
|
|
Hitachi Energy Relion 670 series version 2.2.2 revisions up to 2.2.2.4
Hitachi Energy / Relion 670 series
|
>=2.2.2.0|<=2.2.2.4 |
Vendor Fix
|
|
|
Hitachi Energy Relion 670 series version 2.2.4 revisions up to 2.2.4.2
Hitachi Energy / Relion 670 series
|
>=2.2.4.0|<=2.2.4.2 |
Vendor Fix
|
|
|
Hitachi Energy Relion 670 series version 2.2.5 up to revision 2.2.5.1
Hitachi Energy / Relion 670 series
|
>=2.2.5.0|<=2.2.5.1 |
Vendor Fix
|
|
|
Hitachi Energy Relion 650 series version 1.0.0 all revisions
Hitachi Energy / Relion 650 series
|
>=1.0.0.0|<1.0.1 |
Mitigation
|
|
|
Hitachi Energy Relion 650 series version 1.1.0 all revisions
Hitachi Energy / Relion 650 series
|
>=1.1.0.0|<1.1.1 |
Mitigation
|
|
|
Hitachi Energy Relion 650 series version 1.2.0 all revisions
Hitachi Energy / Relion 650 series
|
>=1.2.0.0|<1.2.1 |
Mitigation
|
|
|
Hitachi Energy Relion 650 series version 1.3.0 revisions up to 1.3.0.8
Hitachi Energy / Relion 650 series
|
>=1.3.0.0|<=1.3.0.7 | ||
|
Hitachi Energy Relion 650 series version 2.1.0 revisions up to 2.1.0.4
Hitachi Energy / Relion 650 series
|
>=2.1.0.0|<=2.1.0.4 |
Vendor Fix
|
|
|
Hitachi Energy Relion 650 series version 2.2.0 all revisions
Hitachi Energy / Relion 650 series
|
>=2.2.0.0|<2.2.1 | ||
|
Hitachi Energy Relion 650 series version 2.2.1 revisions up to 2.2.1.7
Hitachi Energy / Relion 650 series
|
>=2.2.1.0|<=2.2.1.7 |
Vendor Fix
|
|
|
Hitachi Energy Relion 650 series version 2.2.4 revisions up to 2.2.4.2
Hitachi Energy / Relion 650 series
|
>=2.2.4.0|<=2.2.4.2 |
Vendor Fix
|
|
|
Hitachi Energy Relion 670 series version 2.2.5 up to revision 2.2.5.1
Hitachi Energy / Relion 650 series
|
>=2.2.5.0|<=2.2.5.1 |
Vendor Fix
|
|
|
Hitachi Energy Relion SAM600-IO series version 2.2.1 revisions up to 2.2.1.7
Hitachi Energy / Relion SAM600-IO
|
>=2.2.1.0|<=2.2.1.7 |
Vendor Fix
|
|
|
Hitachi Energy Relion SAM600-IO series version 2.2.5 up to revision 2.2.5.1
Hitachi Energy / Relion SAM600-IO
|
>=2.2.5.0|<=2.2.5.1 |
Vendor Fix
|
|
|
Hitachi Energy Relion 670 series version 2.2.3 revisions up to 2.2.3.4
Hitachi Energy / Relion 670 series
|
>=2.2.3.0|<=2.2.3.4 |
Vendor Fix
|
References
10 references
Acknowledgments
U.S. Department of Energy CyTRICS
Robert Erbes
{
"document": {
"acknowledgments": [
{
"names": [
"Robert Erbes"
],
"organization": "U.S. Department of Energy CyTRICS",
"summary": "reporting this vulnerability to Hitachi Energy."
}
],
"aggregate_severity": {
"namespace": "https://www.first.org/cvss/specification-document",
"text": "HIGH"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://us-cert.cisa.gov/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "summary",
"text": "Hitachi Energy is aware of a vulnerability report from U.S. Department of Energy CyTRICS researcher of a vulnerability in the Relion\u00ae 670/650/SAM600-IO series versions listed below. Remediation is available for some versions. Recommended actions for each affected version are listed in the Recommended Immediate Actions\nSection.\nAn attacker who successfully exploited this vulnerability, of which the product does not sufficiently restrict access to internal database tables, could allow anybody with user credentials to bypass security controls that is enforced by the product. Consequently, exploitation may lead to unauthorized modifications on data/firmware, and/or to permanently disabling the product.",
"title": "Summary"
},
{
"category": "legal_disclaimer",
"text": "The information in this document is subject to change without notice and should not be construed as a commitment by Hitachi Energy. Hitachi Energy provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall Hitachi Energy or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if Hitachi Energy or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from Hitachi Energy and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners.",
"title": "Notice"
},
{
"category": "general",
"text": "For additional information and support please contact your product provider or Hitachi Energy service organization. For contact information, see https://www.hitachienergy.com/contact-us/ for Hitachi Energy contact-centers.",
"title": "Support"
},
{
"category": "general",
"text": "Recommended security practices and firewall configurations can help protect a process control network from attacks that originate from outside the network. Such practices include that process control systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed, and others that have to be evaluated case by case. For instance, Open Database Connectivity (ODBC) protocol that is used for device configuration should be limited within the substation only.\nProcess control systems should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.",
"title": "General Mitigation Factors"
},
{
"category": "legal_disclaimer",
"text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
"title": "Legal Notice"
},
{
"category": "other",
"text": "This CISA CSAF advisory was converted from Hitachi Energy PSIRT\u0027s CSAF advisory.",
"title": "Advisory Conversion Disclaimer"
},
{
"category": "other",
"text": "Multiple",
"title": "Critical infrastructure sectors"
},
{
"category": "other",
"text": "Worldwide",
"title": "Countries/areas deployed"
},
{
"category": "other",
"text": "Switzerland",
"title": "Company headquarters location"
},
{
"category": "general",
"text": "CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Locate control system networks and remote devices behind firewalls and isolate them from business networks.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.",
"title": "Recommended Practices"
}
],
"publisher": {
"category": "other",
"contact_details": "central@cisa.dhs.gov",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "ICS Advisory ICSA-25-065-02 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2025/icsa-25-065-02.json"
},
{
"category": "self",
"summary": "Cybersecurity Advisory - Insufficient Security Control Vulnerability in Hitachi Energy Relion 670/650/SAM600-IO series Products",
"url": "https://publisher.hitachienergy.com/preview?DocumentID=8DBD000058\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=launch"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-25-065-02 - Web Version",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-065-02"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/topics/industrial-control-systems"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
}
],
"title": "Hitachi Energy Relion 670/650/SAM600-IO",
"tracking": {
"current_release_date": "2025-02-25T13:30:00.000000Z",
"generator": {
"date": "2025-03-05T10:29:26.650000Z",
"engine": {
"name": "CISA CSAF Generator",
"version": "1.0.0"
}
},
"id": "ICSA-25-065-02",
"initial_release_date": "2021-11-04T13:30:00.000000Z",
"revision_history": [
{
"date": "2021-11-04T13:30:00.000000Z",
"number": "1",
"summary": "Initial version."
},
{
"date": "2021-12-07T11:00:00.000000Z",
"number": "2",
"summary": "Update on Section Recommended Immediate Actions"
},
{
"date": "2023-03-14T11:00:00.000000Z",
"number": "3",
"summary": "Update on Section Recommended Immediate Actions"
},
{
"date": "2025-02-25T13:30:00.000000Z",
"number": "4",
"summary": "Update on Section Recommended Immediate Actions"
}
],
"status": "final",
"version": "4"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=2.2.0.0|\u003c2.2.1",
"product": {
"name": "Hitachi Energy Relion 670 series version 2.2.0 all revisions",
"product_id": "CSAFPID-0001"
}
},
{
"category": "product_version_range",
"name": "\u003e=2.2.1.0|\u003c=2.2.1.7",
"product": {
"name": "Hitachi Energy Relion 670 series version 2.2.1 revisions up to 2.2.1.7",
"product_id": "CSAFPID-0002"
}
},
{
"category": "product_version_range",
"name": "\u003e=2.2.2.0|\u003c=2.2.2.4",
"product": {
"name": "Hitachi Energy Relion 670 series version 2.2.2 revisions up to 2.2.2.4",
"product_id": "CSAFPID-0003"
}
},
{
"category": "product_version_range",
"name": "\u003e=2.2.3.0|\u003c=2.2.3.4",
"product": {
"name": "Hitachi Energy Relion 670 series version 2.2.3 revisions up to 2.2.3.4",
"product_id": "CSAFPID-0004"
}
},
{
"category": "product_version_range",
"name": "\u003e=2.2.4.0|\u003c=2.2.4.2",
"product": {
"name": "Hitachi Energy Relion 670 series version 2.2.4 revisions up to 2.2.4.2",
"product_id": "CSAFPID-0005"
}
},
{
"category": "product_version_range",
"name": "\u003e=2.2.5.0|\u003c=2.2.5.1",
"product": {
"name": "Hitachi Energy Relion 670 series version 2.2.5 up to revision 2.2.5.1",
"product_id": "CSAFPID-0006"
}
},
{
"category": "product_version",
"name": "2.2.1.8",
"product": {
"name": "Hitachi Energy Relion 670 series version 2.2.1.8",
"product_id": "CSAFPID-0007"
}
},
{
"category": "product_version",
"name": "2.2.2.5",
"product": {
"name": "Hitachi Energy Relion 670 series version 2.2.2.5",
"product_id": "CSAFPID-0008"
}
},
{
"category": "product_version",
"name": "2.2.3.5",
"product": {
"name": "Hitachi Energy Relion 670 series version 2.2.3.5",
"product_id": "CSAFPID-0009"
}
},
{
"category": "product_version",
"name": "2.2.4.3",
"product": {
"name": "Hitachi Energy Relion 670 series version 2.2.4.3",
"product_id": "CSAFPID-0010"
}
},
{
"category": "product_version",
"name": "2.2.5.2",
"product": {
"name": "Hitachi Energy Relion 670 series version 2.2.5.2",
"product_id": "CSAFPID-0011"
}
},
{
"category": "product_version_range",
"name": "\u003e=2.1.0.0|\u003c=2.1.0.4",
"product": {
"name": "Hitachi Energy Relion 670 series version 2.1.0 revisions up to 2.1.0.4",
"product_id": "CSAFPID-0012"
}
},
{
"category": "product_version_range",
"name": "\u003e=2.0.0.0|\u003c=2.0.0.14",
"product": {
"name": "Hitachi Energy Relion 670 series version 2.0.0 revisions up to 2.0.0.13",
"product_id": "CSAFPID-0013"
}
},
{
"category": "product_version",
"name": "2.1.0.5",
"product": {
"name": "Hitachi Energy Relion 670 series version 2.1.0.5",
"product_id": "CSAFPID-0014"
}
},
{
"category": "product_version",
"name": "2.0.0.14",
"product": {
"name": "Hitachi Energy Relion 670 series version 2.0.0.14",
"product_id": "CSAFPID-0015"
}
}
],
"category": "product_family",
"name": "Relion 670 series"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=2.2.0.0|\u003c2.2.1",
"product": {
"name": "Hitachi Energy Relion 650 series version 2.2.0 all revisions",
"product_id": "CSAFPID-0016"
}
},
{
"category": "product_version_range",
"name": "\u003e=2.2.1.0|\u003c=2.2.1.7",
"product": {
"name": "Hitachi Energy Relion 650 series version 2.2.1 revisions up to 2.2.1.7",
"product_id": "CSAFPID-0017"
}
},
{
"category": "product_version_range",
"name": "\u003e=2.2.4.0|\u003c=2.2.4.2",
"product": {
"name": "Hitachi Energy Relion 650 series version 2.2.4 revisions up to 2.2.4.2",
"product_id": "CSAFPID-0018"
}
},
{
"category": "product_version_range",
"name": "\u003e=2.2.5.0|\u003c=2.2.5.1",
"product": {
"name": "Hitachi Energy Relion 670 series version 2.2.5 up to revision 2.2.5.1",
"product_id": "CSAFPID-0019"
}
},
{
"category": "product_version",
"name": "2.2.1.8",
"product": {
"name": "Hitachi Energy Relion 650 series version 2.2.1.8",
"product_id": "CSAFPID-0020"
}
},
{
"category": "product_version",
"name": "2.2.4.3",
"product": {
"name": "Hitachi Energy Relion 650 series version 2.2.4.3",
"product_id": "CSAFPID-0021"
}
},
{
"category": "product_version",
"name": "2.2.5.2",
"product": {
"name": "Hitachi Energy Relion 650 series version 2.2.5.2",
"product_id": "CSAFPID-0022"
}
},
{
"category": "product_version_range",
"name": "\u003e=2.1.0.0|\u003c=2.1.0.4",
"product": {
"name": "Hitachi Energy Relion 650 series version 2.1.0 revisions up to 2.1.0.4",
"product_id": "CSAFPID-0023"
}
},
{
"category": "product_version_range",
"name": "\u003e=1.3.0.0|\u003c=1.3.0.7",
"product": {
"name": "Hitachi Energy Relion 650 series version 1.3.0 revisions up to 1.3.0.8",
"product_id": "CSAFPID-0024"
}
},
{
"category": "product_version",
"name": "2.1.0.5",
"product": {
"name": "Hitachi Energy Relion 650 series version 2.1.0.5",
"product_id": "CSAFPID-0025"
}
},
{
"category": "product_version",
"name": "1.3.0.8",
"product": {
"name": "Hitachi Energy Relion 650 series version 1.3.0.8",
"product_id": "CSAFPID-0026"
}
},
{
"category": "product_version_range",
"name": "\u003e=1.2.0.0|\u003c1.2.1",
"product": {
"name": "Hitachi Energy Relion 650 series version 1.2.0 all revisions",
"product_id": "CSAFPID-0027"
}
},
{
"category": "product_version_range",
"name": "\u003e=1.1.0.0|\u003c1.1.1",
"product": {
"name": "Hitachi Energy Relion 650 series version 1.1.0 all revisions",
"product_id": "CSAFPID-0028"
}
},
{
"category": "product_version_range",
"name": "\u003e=1.0.0.0|\u003c1.0.1",
"product": {
"name": "Hitachi Energy Relion 650 series version 1.0.0 all revisions",
"product_id": "CSAFPID-0029"
}
}
],
"category": "product_family",
"name": "Relion 650 series"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=2.2.1.0|\u003c=2.2.1.7",
"product": {
"name": "Hitachi Energy Relion SAM600-IO series version 2.2.1 revisions up to 2.2.1.7",
"product_id": "CSAFPID-0030"
}
},
{
"category": "product_version_range",
"name": "\u003e=2.2.5.0|\u003c=2.2.5.1",
"product": {
"name": "Hitachi Energy Relion SAM600-IO series version 2.2.5 up to revision 2.2.5.1",
"product_id": "CSAFPID-0031"
}
},
{
"category": "product_version",
"name": "2.2.1.8",
"product": {
"name": "Hitachi Energy Relion SAM600-IO series version 2.2.1.8",
"product_id": "CSAFPID-0032"
}
},
{
"category": "product_version",
"name": "2.2.5.2",
"product": {
"name": "Hitachi Energy Relion SAM600-IO series version 2.2.5.2",
"product_id": "CSAFPID-0033"
}
}
],
"category": "product_family",
"name": "Relion SAM600-IO"
}
],
"category": "vendor",
"name": "Hitachi Energy"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-35534",
"cwe": {
"id": "CWE-274",
"name": "Improper Handling of Insufficient Privileges"
},
"notes": [
{
"category": "description",
"text": "A vulnerability exists in the database schema inside the product. An attacker could exploit the vulnerability by first gaining access to credentials of any account or to have access to a\nsession ticket issued for an account. After that, via the configuration\ntool that accesses the proprietary Open Database Connectivity\n(ODBC) protocol (TCP 2102), the database table can be manipulated\nfor privilege escalation which then allowed unauthorized modification or\nto permanently disabling of the device. "
}
],
"product_status": {
"known_affected": [
"CSAFPID-0013",
"CSAFPID-0012",
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0029",
"CSAFPID-0028",
"CSAFPID-0027",
"CSAFPID-0024",
"CSAFPID-0023",
"CSAFPID-0016",
"CSAFPID-0017",
"CSAFPID-0018",
"CSAFPID-0019",
"CSAFPID-0030",
"CSAFPID-0031",
"CSAFPID-0004"
]
},
"references": [
{
"category": "external",
"summary": "NVD - CVE-2021-35534",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35534"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "Update to Relion 670/650/SAM600-IO series version 2.2.1.8",
"product_ids": [
"CSAFPID-0017",
"CSAFPID-0002",
"CSAFPID-0030"
]
},
{
"category": "vendor_fix",
"details": "Update to Relion 670 series version 2.2.2.5",
"product_ids": [
"CSAFPID-0003"
]
},
{
"category": "vendor_fix",
"details": "Update to Relion 670 series version 2.2.3.5",
"product_ids": [
"CSAFPID-0004"
]
},
{
"category": "vendor_fix",
"details": "Update to Relion 670/650 series version 2.2.4.3",
"product_ids": [
"CSAFPID-0005",
"CSAFPID-0018"
]
},
{
"category": "vendor_fix",
"details": "Update to Relion 670/650/SAM600-IO series version 2.2.5.2",
"product_ids": [
"CSAFPID-0019",
"CSAFPID-0006",
"CSAFPID-0031"
]
},
{
"category": "vendor_fix",
"details": "Update to Relion 670/650 series version 2.1.0.5",
"product_ids": [
"CSAFPID-0023",
"CSAFPID-0012"
]
},
{
"category": "vendor_fix",
"details": "Update to Relion 670/650 series version 2.0.0.14",
"product_ids": [
"CSAFPID-0013"
]
},
{
"category": "vendor_fix",
"details": "Update to Relion 650 series version 1.3.0.8",
"product_ids": [
"CSAFPID-0026"
]
},
{
"category": "mitigation",
"details": "Refer to the General Mitigation Factors/Workaround Section for the current mitigation strategy.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0028",
"CSAFPID-0029"
]
},
{
"category": "mitigation",
"details": "Refer to the Mitigation Factors/Workaround Section for the\ncurrent mitigation strategy or upgrade to Relion 650 series\nversion 1.3.",
"product_ids": [
"CSAFPID-0027"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 7.2,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"temporalScore": 7.2,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0013",
"CSAFPID-0012",
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0029",
"CSAFPID-0028",
"CSAFPID-0027",
"CSAFPID-0024",
"CSAFPID-0023",
"CSAFPID-0016",
"CSAFPID-0017",
"CSAFPID-0018",
"CSAFPID-0019",
"CSAFPID-0030",
"CSAFPID-0031"
]
}
]
}
]
}
WID-SEC-W-2025-0436
Vulnerability from csaf_certbund - Published: 2021-12-09 23:00 - Updated: 2025-02-25 23:00Summary
Hitachi Energy Relion: Schwachstelle ermöglicht Privilegieneskalation
Severity
Mittel
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Die Relion-Produktfamilie umfasst Produkte für Schutz, Steuerung, Messung und Überwachung von Energiesystemen für IEC- und ANSI-Anwendungen.
Angriff: Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Hitachi Energy Relion ausnutzen, um seine Privilegien zu erhöhen.
Betroffene Betriebssysteme: - Appliance
Affected products
Known affected
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
ABB Relion SAM600-IO
ABB / Relion
|
cpe:/h:abb:relion:sam600-io
|
SAM600-IO | |
|
ABB Relion 650
ABB / Relion
|
cpe:/h:abb:relion:650
|
650 | |
|
ABB Relion 670
ABB / Relion
|
cpe:/h:abb:relion:670
|
670 | |
|
Hitachi Energy Relion SAM600-IO
hitachienergy / relion
|
cpe:/h:hitachienergy:relion:sam600-io
|
SAM600-IO | |
|
Hitachi Energy Relion 650
hitachienergy / relion
|
cpe:/h:hitachienergy:relion:650
|
650 | |
|
Hitachi Energy Relion 670
hitachienergy / relion
|
cpe:/h:hitachienergy:relion:670
|
670 |
References
4 references
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Die Relion-Produktfamilie umfasst Produkte f\u00fcr Schutz, Steuerung, Messung und \u00dcberwachung von Energiesystemen f\u00fcr IEC- und ANSI-Anwendungen.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Hitachi Energy Relion ausnutzen, um seine Privilegien zu erh\u00f6hen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Appliance",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-0436 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2021/wid-sec-w-2025-0436.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-0436 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0436"
},
{
"category": "external",
"summary": "Hitachi Security Advisory vom 2021-12-09",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000058\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
},
{
"category": "external",
"summary": "Hitachi Cybersecurity Advisory",
"url": "https://publisher.hitachienergy.com/preview?DocumentID=8DBD000058"
}
],
"source_lang": "en-US",
"title": "Hitachi Energy Relion: Schwachstelle erm\u00f6glicht Privilegieneskalation",
"tracking": {
"current_release_date": "2025-02-25T23:00:00.000+00:00",
"generator": {
"date": "2025-02-26T09:48:29.599+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.12"
}
},
"id": "WID-SEC-W-2025-0436",
"initial_release_date": "2021-12-09T23:00:00.000+00:00",
"revision_history": [
{
"date": "2021-12-09T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-02-25T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von HITACHI aufgenommen"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "670",
"product": {
"name": "ABB Relion 670",
"product_id": "T016943",
"product_identification_helper": {
"cpe": "cpe:/h:abb:relion:670"
}
}
},
{
"category": "product_version",
"name": "650",
"product": {
"name": "ABB Relion 650",
"product_id": "T016944",
"product_identification_helper": {
"cpe": "cpe:/h:abb:relion:650"
}
}
},
{
"category": "product_version",
"name": "SAM600-IO",
"product": {
"name": "ABB Relion SAM600-IO",
"product_id": "T016945",
"product_identification_helper": {
"cpe": "cpe:/h:abb:relion:sam600-io"
}
}
}
],
"category": "product_name",
"name": "Relion"
}
],
"category": "vendor",
"name": "ABB"
},
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "670",
"product": {
"name": "Hitachi Energy Relion 670",
"product_id": "T041401",
"product_identification_helper": {
"cpe": "cpe:/h:hitachienergy:relion:670"
}
}
},
{
"category": "product_version",
"name": "650",
"product": {
"name": "Hitachi Energy Relion 650",
"product_id": "T041402",
"product_identification_helper": {
"cpe": "cpe:/h:hitachienergy:relion:650"
}
}
},
{
"category": "product_version",
"name": "SAM600-IO",
"product": {
"name": "Hitachi Energy Relion SAM600-IO",
"product_id": "T041403",
"product_identification_helper": {
"cpe": "cpe:/h:hitachienergy:relion:sam600-io"
}
}
}
],
"category": "product_name",
"name": "relion"
}
],
"category": "vendor",
"name": "hitachienergy"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-35534",
"product_status": {
"known_affected": [
"T016945",
"T016944",
"T016943",
"T041403",
"T041402",
"T041401"
]
},
"release_date": "2021-12-09T23:00:00.000+00:00",
"title": "CVE-2021-35534"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…