First published: Thu Nov 04 2021(Updated: )
Insecure Boot Image vulnerability in Hitachi Energy Relion Relion 670/650/SAM600-IO series allows an attacker who manages to get access to the front network port and to cause a reboot sequences of the device may exploit the vulnerability, where there is a tiny time gap during the booting process where an older version of VxWorks is loaded prior to application firmware booting, could exploit the vulnerability in the older version of VxWorks and cause a denial-of-service on the product. This issue affects: Hitachi Energy Relion 670 Series 2.2.2 all revisions; 2.2.3 versions prior to 2.2.3.3. Hitachi Energy Relion 670/650 Series 2.2.0 all revisions; 2.2.4 all revisions. Hitachi Energy Relion 670/650/SAM600-IO 2.2.1 all revisions.
Credit: cybersecurity@hitachienergy.com
Affected Software | Affected Version | How to fix |
---|---|---|
Hitachienergy Relion 670 Firmware | >=2.2.3<=2.2.3.3 | |
Hitachienergy Relion 670 Firmware | =2.2.0 | |
Hitachienergy Relion 670 Firmware | =2.2.1 | |
Hitachienergy Relion 670 Firmware | =2.2.2 | |
Hitachienergy Relion 670 Firmware | =2.2.4 | |
Hitachienergy Relion 670 | ||
Hitachienergy Relion 650 Firmware | =2.2.0 | |
Hitachienergy Relion 650 Firmware | =2.2.1 | |
Hitachienergy Relion 650 Firmware | =2.2.4 | |
Hitachienergy Relion 650 | ||
Hitachienergy Relion Sam600-io Firmware | =2.2.1 | |
Hitachienergy Relion Sam600-io |
Refer to the cybersecurity advisories at https://www.hitachienergy.com/cybersecurity/alerts-and-notifications
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability is an Insecure Boot Image vulnerability that allows an attacker who has access to the front network port to cause a reboot sequence of the device.
The severity of CVE-2021-35535 is high with a CVSS score of 8.1.
An attacker can exploit the vulnerability by taking advantage of a tiny time gap during the booting process of the device.
The versions affected are 2.2.0, 2.2.1, 2.2.2, and 2.2.3 (up to version 2.2.3.3).
To fix the vulnerability, it is recommended to update the firmware to a version that addresses the issue.