Hitachi Energy Patches Critical Blast-RADIUS Vulnerability in XMC20 Industrial Platforms
Take action: First, make sure your industrial network is isolated from the internet and accessible only from trusted networks. Then plan a patch for your Hitachi XMC20 devices and your RADIUS servers.
Learn More
CISA and Hitachi Energy report a patch of a critical flaw in its XMC20 communication platform, caused by the "Blast-RADIUS" vulnerability in the RADIUS protocol.
The flaw is tracked as CVE-2024-3596 (CVSS score 9.0) - an improper enforcement of message integrity vulnerability in the RADIUS protocol (RFC 2865) that allows for packet forgery.
Attackers can perform a chosen-prefix collision attack against the MD5 Response Authenticator signature to transform an Access-Reject response into an Access-Accept response. By intercepting and modifying these packets in transit, an unauthenticated attacker can gain full unauthorized access to the device management interface. This exploit defeats the protocol's integrity checks by exploiting the predictable nature of MD5-based signatures without needing the shared secret.
The vulnerability is patched in Hitachi Energy XMC20 version R18, as well as version R17A and all earlier releases.
Hitachi Energy recommends that users update to XMC20 R18 and enable the RADIUS Message-Authenticator option in both the XMC20 and RADIUS server configurations. This attribute adds an HMAC-MD5 signature to packets, which prevents the collision attacks used in the Blast-RADIUS exploit.
If an upgrade is not possible, administrators should implement strict network segmentation to isolate management traffic and ensure that process control systems have no direct connections to the public internet.
