Hitachi Energy reports BlastRADIUS flaw in AFS, AFR and AFF Series product families
Take action: For Hitachi Energy AFS/AFR/AFF series devices, ensure they are isolated from the internet and accessible only from trusted networks. If using RADIUS authentication, verify that the RADIUS Server Message Authenticator option is enabled (it's the default setting, but check if you've modified any RADIUS configurations). There is no patch.
Learn More
Hitachi Energy is reporting a critical security vulnerability affecting multiple products in its AFS, AFR, and AFF series product families.
The flaw is tracked as CVE-2024-3596 (CVSS score 9.0), the well known BlastRADIUS, a weakness in the RADIUS (Remote Authentication Dial-In User Service) protocol under RFC 2865, allowing local attackers to perform forgery attacks by modifying any valid response whether Access-Accept, Access-Reject, or Access-Challenge to any other response using a chosen-prefix collision attack against the MD5 Response Authenticator signature. S
The vulnerability affects all versions of the following Hitachi Energy products, all of which are classified as legacy systems:
- AFS 660-B/C/S,
- AFS 665-B/S,
- AFS 670 v2.0,
- AFS 650,
- AFS 655,
- AFS 670,
- AFS 675,
- AFS 677,
- AFR 677,
- AFF 660,
- AFF 665.
The products are only vulnerable when they have RADIUS enabled and the RADIUS Server Message Authenticator option is disabled. In the default configuration, products are not affected by this vulnerability
Hitachi Energy has issued mitigation guidance for organizations operating affected systems. The primary mitiation action is to set the RADIUS configuration to its default state, which enables the RADIUS Server Message Authenticator option.
For products in the AFS65x, AFS67x, and AFR67x series, administrators can enable this option using the CLI command radius server msgauth or via the SNMP MIB parameter hmAgentRadiusServerMsgAuth. For products in the AFS66x, AFS 670 v2.0, and AFF66x series, the command is radius server auth modify <index> msgauth via CLI or the MIB parameter hm2AgentRadiusServerMsgAuth.
Organizations are strongly advised to verify that the Message Authenticator option is enabled across all RADIUS-dependent services and to implement this change immediately to protect against potential exploitation.
Beyond the immediate mitigation, Hitachi Energy and CISA recommend implementing comprehensive defense-in-depth strategies for industrial control systems. These best practices include ensuring that process control systems are physically protected from direct access by unauthorized personnel, maintaining no direct connections to the Internet, and separating control networks from other networks using properly configured firewalls with minimal exposed ports.
