Hitachi Energy FOXMAN-UN

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 10.0
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Hitachi Energy
• Equipment: FOXMAN-UN
• Vulnerabilities: Authentication Bypass Using an Alternate Path or Channel, Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’), Heap-based Buffer Overflow, Incorrect User Management, Improper Certificate Validation, Improper Restriction of Excessive Authentication Attempts, Use of Hard-coded Password, Cleartext Storage of Sensitive Information

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an unauthenticated malicious user to interact with the services and the post-authentication attack surface.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Hitachi Energy reports that the following products are affected:

• Hitachi Energy FOXMAN-UN: All versions prior to R15A
• Hitachi Energy FOXMAN-UN: R15B (CVE-2024-28020, CVE-2024-28022, CVE-2024-28024)
• Hitachi Energy FOXMAN-UN: R15B PC4 (CVE-2024-2013, CVE-2024-2012, CVE-2024-2011, CVE-2024-28021, CVE-2024-28023)
• Hitachi Energy FOXMAN-UN: R16A
• Hitachi Energy FOXMAN-UN: R16B (CVE-2024-28020, CVE-2024-28022, CVE-2024-28024)
• Hitachi Energy FOXMAN-UN: R16B PC2 (CVE-2024-2013, CVE-2024-2012, CVE-2024-2011, CVE-2024-28021, CVE-2024-28023)

3.2 VULNERABILITY OVERVIEW

3.2.1 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL CWE-288

An authentication bypass vulnerability exists in the FOXMAN-UN server / APIGateway component that if exploited allows unauthenticated malicious users to interact with the services and the post-authentication attack surface.

CVE-2024-2013 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string i

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.