## Hitachi Energy GMS600 Vulnerable to OpenSSL Timing Attack A vulnerability has been identified in **Hitachi Energy**'s GMS600 product, stemming from a flaw in the **OpenSSL** component. The vulnerability, tracked as **CVE-2022-4304**, could allow attackers to potentially decrypt sensitive data. [View CSAF](https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-141-01.json) ### Vulnerability Details The core issue lies within the **OpenSSL** RSA decryption implementation. An attacker could exploit a timing-based side channel to recover plaintext across a network using a Bleichenbacher-style attack. This requires the attacker to send a large number of trial messages for decryption and meticulously record the processing time for each. Successful exploitation enables the recovery of the pre-master secret used for the original connection, thereby decrypting application data transmitted over that connection. The vulnerability affects all RSA padding modes, including PKCS#1 v1.5, RSA-OEAP, and RSASVE. ### Affected Products * **Vendor:** Hitachi Energy * **Product:** GMS600 * **Affected Versions:** 1.3.0 and 1.3.1 * **Status:** Known Affected ### Technical Details * **CVSS v3 Score:** 5.9 * **CWE:** [CWE-203 Observable Discrepancy](https://cwe.mitre.org/data/definitions/203.html) ### Impact Successful exploitation of this vulnerability could lead to the decryption of sensitive application data, potentially compromising the confidentiality of communications. ### Mitigation While specific patches or updates aren't detailed in this advisory excerpt, general mitigation factors are provided: * **Network Segmentation:** Isolate process control systems from the internet and business networks using firewalls. * **Access Control:** Enforce strict ingress IP allowlisting and traffic rate limiting. * **Physical Security:** Protect process control systems from unauthorized physical access. * **Secure Remote Access:** When remote access is necessary, utilize secure methods like VPNs (ensure VPNs are updated to the latest versions). * **Security Awareness:** Prohibit internet surfing, instant messaging, and email access on process control systems. * **Malware Scanning:** Carefully scan portable computers and removable storage media for viruses before connecting them to a control system. ### Reporting **Hitachi Energy** Internal Team reported this vulnerability to **CISA**. ### Additional Information For further details and support, contact your product provider or **Hitachi Energy** service organization. Contact information can be found at [https://www.hitachienergy.com/contact-us/](https://www.hitachienergy.com/contact-us/). ### Disclaimer This information is subject to change without notice and should not be construed as a commitment by **Hitachi Energy**. ### Revision History | Date | Revision | Summary | | ---------- | -------- | ------------------------ | | 2023-06-27 | 1 | Initial public release. | | 2026-04-28 | 2 | Updated fixed version. | | 2026-05-21 | 3 | Initial **CISA** Republication of **Hitachi Energy** PSIRT 8DBD000159 advisory |