CVE-2022-2513 — Cleartext Storage of Sensitive Info in Energy 650 Connectivity Package

CWE-312 — Cleartext Storage of Sensitive Info3 documents3 sources

Severity

5.5MEDIUMNVD

CNA7.1

EPSS

0.1%

top 82.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hitachi Energy 650 Connectivity Package Hitachi Energy 670 Connectivity Package Hitachi Energy Gms600 Connectivity Package +9 more

Timeline

PublishedNov 22

Latest updateJul 6

Description

A vulnerability exists in the Intelligent Electronic Device (IED) Connectivity Package (ConnPack) credential storage function in Hitachi Energy’s PCM600 product included in the versions listed below, where IEDs credentials are stored in a cleartext format in the PCM600 database and logs files. An attacker having get access to the exported backup file can exploit the vulnerability and obtain user credentials of the IEDs. Additionally, an attacker with administrator access to the PCM600 host machi…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages12 packages

▶NVDhitachienergy/pcm6002.11

▶CVEListV5hitachi_energy/pcm600v2.6 — 2.11 Hotfix 20220617

▶CVEListV5hitachi_energy/650_connectivity_package1.3 — 2.4.1

▶CVEListV5hitachi_energy/670_connectivity_package3.0 — 3.4.1

▶CVEListV5hitachi_energy/gms600_connectivity_package1.3 — 1.3.1

🔴Vulnerability Details

GHSA

GHSA-rrwm-2vxq-5x2h: A vulnerability exists in the Intelligent Electronic Device (IED) Connectivity Package (ConnPack) credential storage function in Hitachi Energy’s PCM6↗2023-07-06

▶

CVEList

Cleartext Credentials Vulnerability on Hitachi Energy’s Multiple IED Connectivity Packages (IED ConnPacks) and PCM600 Products↗2022-11-22

▶