CISA Warns of OpenSSL Timing Side-Channel in Hitachi Energy GMS600
CISA has issued an advisory for CVE-2022-4304, a timing-based side-channel vulnerability in OpenSSL affecting Hitachi Energy GMS600 versions 1.3.0 and 1.3.1, which could allow attackers to decrypt TLS traffic.
CISA has published an advisory warning of a vulnerability in Hitachi Energy's GMS600 product, a grid monitoring system used in critical manufacturing infrastructure worldwide. The flaw, tracked as CVE-2022-4304, is a timing-based side-channel vulnerability in the OpenSSL component that could allow an attacker to decrypt application data sent over TLS connections.
The vulnerability resides in OpenSSL's RSA decryption implementation. By sending a large number of trial messages to a server and measuring the time taken to process them, an attacker can recover the pre-master secret used for a previous TLS connection. This enables decryption of the application data exchanged during that session. The attack is a variant of the Bleichenbacher style attack and affects all RSA padding modes, including PKCS#1 v1.5, RSA-OEAP, and RSASVE.
Hitachi Energy GMS600 versions 1.3.0 and 1.3.1 are confirmed affected. The product is deployed globally in the critical manufacturing sector, making it a high-value target for state-sponsored or industrial espionage actors. The vulnerability has a CVSS v3.1 base score of 5.9 (Medium), with a vector string indicating network attack vector, high attack complexity, and high confidentiality impact.
Hitachi Energy has released version 1.3.2 to remediate the issue. Users are strongly advised to upgrade immediately. For organizations unable to patch immediately, CISA recommends network-level mitigations such as enforcing IP allowlisting and applying traffic rate limiting to reduce the attack surface. Additionally, process control systems should be isolated from the internet and separated from business networks via firewalls.
CISA also emphasizes that remote access to control systems should use secure methods like VPNs, which should be kept updated. The agency encourages organizations to follow its recommended practices for industrial control system cybersecurity, including defense-in-depth strategies.
This advisory is part of a broader trend of vulnerabilities in industrial control systems (ICS) stemming from common software components like OpenSSL. The same CVE-2022-4304 has previously been addressed in other products, but its reappearance in critical infrastructure highlights the challenge of supply chain security in OT environments.