CVE-2021-35533
📋 TL;DR
An improper input validation vulnerability in the APDU parser of Hitachi Energy RTU500 series CMU devices allows attackers to send specially crafted IEC 60870-5-104 messages that cause the receiving device to reboot. This affects RTU500 series CMU devices with specific firmware versions. By default, the vulnerable BCI IEC 60870-5-104 function is disabled, reducing exposure.
💻 Affected Systems
- Hitachi Energy RTU500 series CMU
📦 What is this software?
Rtu500 Firmware by Hitachienergy
Rtu500 Firmware by Hitachienergy
Rtu500 Firmware by Hitachienergy
⚠️ Risk & Real-World Impact
Worst Case
Denial of service causing critical infrastructure disruption through repeated device reboots, potentially leading to loss of monitoring/control in industrial environments.
Likely Case
Temporary service interruption through device reboot, requiring manual intervention to restore normal operation.
If Mitigated
Minimal impact if vulnerable function is disabled or network controls prevent malicious traffic.
🎯 Exploit Status
Exploitation requires network access to the vulnerable BCI interface and knowledge of IEC 60870-5-104 protocol.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to firmware versions beyond affected ranges (consult vendor advisory for specific fixed versions)
Vendor Advisory: https://search.abb.com/library/Download.aspx?DocumentID=8DBD000063&LanguageCode=en&DocumentPartId=&Action=Launch
Restart Required: Yes
Instructions:
1. Download updated firmware from Hitachi Energy/ABB support portal. 2. Follow vendor's firmware update procedures for RTU500 CMU devices. 3. Verify successful update and functionality.
🔧 Temporary Workarounds
Disable BCI IEC 60870-5-104 function
allIf not required, disable the vulnerable Bidirectional Communication Interface function entirely.
Configuration specific to RTU500 CMU - consult vendor documentation for disabling BCI IEC 60870-5-104
Network segmentation and access controls
allRestrict network access to RTU500 devices to authorized systems only using firewalls and VLANs.
🧯 If You Can't Patch
- Ensure BCI IEC 60870-5-104 function remains disabled if not required
- Implement strict network segmentation and monitor for anomalous IEC 60870-5-104 traffic
🔍 How to Verify
Check if Vulnerable:
Check CMU firmware version via device management interface and verify if BCI IEC 60870-5-104 function is enabled.Check Version:
Device-specific command via RTU500 management interface (consult vendor documentation)Verify Fix Applied:
Confirm firmware version is updated beyond affected ranges and test BCI functionality if required.📡 Detection & Monitoring
Log Indicators:
- Unexpected device reboots
- APDU parsing errors in BCI logs
- IEC 60870-5-104 protocol anomalies
Network Indicators:
- Malformed IEC 60870-5-104 packets to RTU500 devices
- Unusual traffic patterns to BCI ports
SIEM Query:
Example: 'device_type:RTU500 AND (event_type:reboot OR protocol:IEC60870-5-104 AND status:error)'