CVE-2022-3864

EUVD-2022-43204

04.01.2024, 10:15

A vulnerability exists in the Relion update package signature validation. A tampered update package could cause the IED to restart. After restart the device is back to normal operation.
An attacker could exploit the vulnerability by first gaining access to
the system with security privileges and attempt to update the IED
with a malicious update package. Successful exploitation of this
vulnerability will cause the IED to restart, causing a temporary Denial of Service.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.5 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H
Hitachi Energy	CNA	4.5 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 9%

Affected Products (NVD)

Vendor	Product	Version
hitachienergy	relion_650_firmware	2.2.0
hitachienergy	relion_650_firmware	2.2.1
hitachienergy	relion_650_firmware	2.2.4
hitachienergy	relion_650_firmware	2.2.5
hitachienergy	relion_670_firmware	2.2.0
hitachienergy	relion_670_firmware	2.2.1
hitachienergy	relion_670_firmware	2.2.2
hitachienergy	relion_670_firmware	2.2.3
hitachienergy	relion_670_firmware	2.2.4
hitachienergy	relion_670_firmware	2.2.5
hitachienergy	relion_sam600-io_firmware	2.2.1

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-347 - Improper Verification of Cryptographic Signature
The software does not verify, or incorrectly verifies, the cryptographic signature for data.

References

https://publisher.hitachienergy.com/preview?DocumentID=8DBD000146&LanguageCode=en&DocumentPartId=&Action=Launch