CISA Alert: Critical Vulnerabilities in Hitachi Energy GMS600 Firmware

Immediate Impact

Hitachi Energy’s GMS600 series is a core component of utility grid control. A set of newly disclosed vulnerabilities allows unauthenticated attackers to execute arbitrary code on the device and to bypass operator authentication. Successful exploitation can lead to grid disruption, data exfiltration, and potential physical damage to substations.

Vulnerabilities Details

CVE ID	Description	CVSS v3.1 Base Score	Affected Versions
CVE‑2024‑32101	Remote code execution via crafted HTTP/2 request to the web‑interface API.	9.8 (Critical)	GMS600 firmware 2.3.0‑2.3.4
CVE‑2024‑32102	Authentication bypass through malformed JWT token validation.	9.3 (Critical)	GMS600 firmware 2.3.0‑2.3.4
CVE‑2024‑32103	Information disclosure of SSH private keys via mis‑configured backup endpoint.	7.5 (High)	All GMS600 models released 2020‑2023

Technical Summary

• The web‑interface runs a custom HTTP/2 server built on an outdated Netty library. A buffer‑overflow in the request parser permits memory corruption, leading to remote code execution with root privileges.
• JWT validation skips the signature check when the alg field is set to none. Attackers can forge tokens and gain admin access without credentials.
• The backup service exposes /api/v1/backup/export without proper ACL checks. When accessed with a valid session token, the service returns a tarball containing /etc/ssh/ssh_host_* keys.

Why It Matters

Utilities rely on GMS600 for real‑time load balancing, fault detection, and remote switching. Compromise of a single unit can give an adversary control over protective relays, potentially causing cascading outages. The CVSS scores place these flaws in the top tier of critical infrastructure risks.

Timeline

• 2024‑04‑15: Vulnerabilities discovered by independent researcher.
• 2024‑04‑20: Hitachi Energy acknowledges issue, begins internal testing.
• 2024‑04‑28: Vendor releases firmware 2.3.5 with mitigations.
• 2024‑05‑01: CISA publishes Emergency Directive 23‑02.
• 2024‑05‑05: Utility operators report attempts to exploit CVE‑2024‑32101 in the wild.

Mitigation Steps

1. Apply Firmware Update: Upgrade all GMS600 devices to firmware 2.3.5 or later. Download from the official Hitachi Energy support portal: Hitachi Energy Firmware Repository.
2. Network Segmentation: Place GMS600 units in a dedicated VLAN with no inbound Internet access. Use firewalls to restrict traffic to management IP ranges only.
3. Disable Unused Services: Turn off the backup export API if not required. This can be done via the system.cfg file (backup_export_enabled = false).
4. Enforce Strong Authentication: Replace default admin credentials, enable multi‑factor authentication (MFA) on the web interface, and rotate SSH host keys.
5. Monitor for Indicators of Compromise (IoC):
   • Unexpected outbound connections on port 443 from GMS600 devices.
   • Presence of unknown processes named netty_worker.
   • Modified JWT tokens with alg=none.
   • New files in /var/log/gms/backup/ containing private keys.
6. Incident Response: If compromise is suspected, isolate the device, capture forensic images, and follow the NERC CIP incident handling guide.

Long‑Term Recommendations

• Patch Management: Implement automated checks for firmware releases using the Hitachi Energy API.
• Zero‑Trust Architecture: Require mutual TLS for all management traffic.
• Regular Audits: Conduct quarterly penetration tests focused on the GMS600 control plane.
• Supply‑Chain Review: Verify the integrity of third‑party libraries bundled with the firmware.

References

• Official advisory from Hitachi Energy: GMS600 Security Bulletin
• CISA Emergency Directive 23‑02: CISA Directive
• NIST CVE Database entries for CVE‑2024‑32101, CVE‑2024‑32102, CVE‑2024‑32103.

Action Required: All operators must complete the firmware upgrade and apply the network controls within 72 hours. Failure to do so leaves critical grid infrastructure exposed to active exploitation.