CVE-2021-40341

Summary

DES cipher, which has inadequate encryption strength, is used Hitachi Energy FOXMAN-UN to encrypt user credentials used to access the Network Elements. Successful exploitation allows sensitive information to be decrypted easily. This issue affects 

  • FOXMAN-UN product: FOXMAN-UN R16A, FOXMAN-UN R15B, FOXMAN-UN R15A, FOXMAN-UN R14B, FOXMAN-UN R14A, FOXMAN-UN R11B, FOXMAN-UN R11A, FOXMAN-UN R10C, FOXMAN-UN R9C; 
  • UNEM product: UNEM R16A, UNEM R15B, UNEM R15A, UNEM R14B, UNEM R14A, UNEM R11B, UNEM R11A, UNEM R10C, UNEM R9C.

List of CPEs: 

  • cpe:2.3:a:hitachienergy:foxman-un:R16A:::::::*
  • cpe:2.3:a:hitachienergy:foxman-un:R15B:::::::*
  • cpe:2.3:a:hitachienergy:foxman-un:R15A:::::::*
  • cpe:2.3:a:hitachienergy:foxman-un:R14B:::::::*
  • cpe:2.3:a:hitachienergy:foxman-un:R14A:::::::*
  • cpe:2.3:a:hitachienergy:foxman-un:R11B:::::::*
  • cpe:2.3:a:hitachienergy:foxman-un:R11A:::::::*
  • cpe:2.3:a:hitachienergy:foxman-un:R10C:::::::*
  • cpe:2.3:a:hitachienergy:foxman-un:R9C:::::::*
  • cpe:2.3:a:hitachienergy:unem:R16A:::::::*
  • cpe:2.3:a:hitachienergy:unem:R15B:::::::*
  • cpe:2.3:a:hitachienergy:unem:R15A:::::::*
  • cpe:2.3:a:hitachienergy:unem:R14B:::::::*
  • cpe:2.3:a:hitachienergy:unem:R14A:::::::*
  • cpe:2.3:a:hitachienergy:unem:R11B:::::::*
  • cpe:2.3:a:hitachienergy:unem:R11A:::::::*
  • cpe:2.3:a:hitachienergy:unem:R10C:::::::*
  • cpe:2.3:a:hitachienergy:unem:R9C:::::::*

Affected Software

VendorProductVersion RangeStatus
Hitachi EnergyFOXMAN-UNFOXMAN-UN R16Aaffected
Hitachi EnergyFOXMAN-UNFOXMAN-UN R15Baffected
Hitachi EnergyFOXMAN-UNFOXMAN-UN R15Aaffected
Hitachi EnergyFOXMAN-UNFOXMAN-UN R14Baffected
Hitachi EnergyFOXMAN-UNFOXMAN-UN R14Aaffected
Hitachi EnergyFOXMAN-UNFOXMAN-UN R11Baffected
Hitachi EnergyFOXMAN-UNFOXMAN-UN R11Aaffected
Hitachi EnergyFOXMAN-UNFOXMAN-UN R10Caffected
Hitachi EnergyFOXMAN-UNFOXMAN-UN R9Caffected
Hitachi EnergyUNEMUNEM R16Aaffected
Hitachi EnergyUNEMUNEM R15Baffected
Hitachi EnergyUNEMUNEM R15Aaffected
Hitachi EnergyUNEMUNEM R14Baffected
Hitachi EnergyUNEMUNEM R14Aaffected
Hitachi EnergyUNEMUNEM R11Baffected
Hitachi EnergyUNEMUNEM R11Aaffected
Hitachi EnergyUNEMUNEM R10Caffected
Hitachi EnergyUNEMUNEM R9Caffected

Weaknesses

  • CWE-326: CWE-326 Inadequate Encryption Strength

Workarounds

The vulnerabilities are partially remediated in FOXMAN-UN R16A or UNEM R16A, the full remediation will be done in the upcoming release (planned).

For immediate recommended mitigation actions if using FOXMAN-UN R16A or UNEM R16A, please refer to the

Database contains credentials with weak encryption

clause of section Mitigation Factors/Workarounds in the respective products' advisory.

For immediate recommended mitigation actions if using FOXMAN-UN R15B or UNEM R15B and earlier, please refer to the multiple clauses of section Mitigation Factors/Workarounds in the advisory

  • Secure the NMS CLIENT/SERVER communication. 
  • Embedded FOXCST with RADIUS authentication should be avoided. 
  • Database contains credentials with weak encryption.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References