Hitachi Energy MACH GWS Products
1. EXECUTIVE SUMMARY
- CVSS v4 9.4
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Hitachi Energy
- Equipment: MACH GWS products
- Vulnerabilities: Improper Neutralization of Special Elements in Data Query Logic, Improper Limitation of a Pathname to a Restricted Directory, Authentication Bypass by Capture-replay, Missing Authentication for Critical Function
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to inject code, read or modify files, hijack user sessions, or access exposed ports without authentication.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Hitachi Energy products are affected:
- MACH GWS: Version 2.1.0.0 (CVE-2024-4872, CVE-2024-3980)
- MACH GWS: Versions 2.2.0.0 to 2.4.0.0 (CVE-2024-4872, CVE-2024-3980)
- MACH GWS: Versions 3.0.0.0 to 3.3.0.0 (CVE-2024-4872, CVE-2024-3980, CVE-2024-3982)
- MACH GWS: Versions 3.1.0.0 to 3.3.0.0 (CVE-2024-7940)
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN DATA QUERY LOGIC CWE-943
A vulnerability exists in the query validation of the MACH GWS product. If exploited this could allow an authenticated attacker to inject code towards persistent data. Note that to successfully exploit this vulnerability an attacker must have a valid credential.
CVE-2024-4872 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-4872. A base score of 9.0 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.2.2 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE-22
The MACH GWS product allows an authenticated user input to control or influence paths or file names that are used in filesystem operations. If exploited the vulnerability allows the attacker to access or modify system files or other files that are critical to the application.
CVE-2024-3980 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-3980. A base score of 9.4 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.2.3 AUTHENTICATION BYPASS BY CAPTURE-REPLAY CWE-294
An attacker with local access to machine where MACH GWS is installed, could enable the session logging supporting the product and try to exploit a session hijacking of an already established session.
Note: By default, the session logging level is not enabled and only users with administrator rights can enable it.
CVE-2024-3982 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-3982. A base score of 7.3 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.2.4 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306
The MACH GWS product exposes a service that is intended for local only to all network interfaces without any authentication.
CVE-2024-7940 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.3 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-7940. A base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.3 PRODUCT IMPACT
Additional product-specific impact for MACH GWS 2 affected product vulnerable to the CVE:
- CVE-2024-4872
- (Hitachi Energy MACH GWS 2): A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
- (Hitachi Energy MACH GWS 2) A CVSS v4.0 base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
- CVE-2024-3980
- (Hitachi Energy MACH GWS 2): A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
- (Hitachi Energy MACH GWS 2) A CVSS v4.0 base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.4 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Energy
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Switzerland
3.5 RESEARCHER
Hitachi Energy reported these vulnerabilities to CISA.
4. MITIGATIONS
Hitachi Energy recommends that users update to the new versions listed below:
- MACH GWS Versions 3.0.0.0 to 3.3.0.0: Upgrade to version 3.4.0.0.
- MACH GWS Version 2.1.0.0: Apply the patch HF1 to HF6 sequentially.
- MACH GWS Versions 2.2.0.0 to 2.4.0.0: Apply the patch HF3 to HF6 sequentially.
For more information, visit the Hitachi Energy security advisory.
Hitachi Energy recommended security practices and firewall configurations can help protect a process control network from attacks originating outside the network. Such practices include ensuring that process control systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by a firewall system with a minimal number of exposed ports, evaluated on a case-by-case basis. Process control systems should not be used for Internet surfing, instant messaging, or receiving emails. Portable computers and removable storage media should be carefully scanned for viruses before being connected to a control system. Proper password policies and processes should be followed.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
- Do not click web links or open attachments in unsolicited email messages.
- Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
- Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY
- May 13, 2025: Initial Republication of Hitachi Energy Advisory 8DBD000211
This product is provided subject to this Notification and this Privacy & Use policy.
Vendor
- Hitachi Energy