Developers: | Mitsubishi Electric |
Last Release Date: | 2022/12/22 |
Branches: | Light industry, Forestry and woodworking, Food industry, Printing activity |
Technology: | APCS |
Content |
2022
Address vulnerabilities that allow unauthorized users to access PLCs
Positive Technologies experts Anton Dorfman, Dmitry Sklyarov, Vladimir Nazarov and Ilya Rogachev have identified seven vulnerabilities in Mitsubishi Electric's industrial controller software. Exploitation of these vulnerabilities allowed unauthorized users to access the iQ-R/F/L series MELSEC PLC and the MELSEC iQ-R series OPC UA server module. Positive Technologies announced this on December 22, 2022.
The GX Works3 engineering software and the MX OPC UA Module Configurator-R utility are used to program Mitsubishi Electric PLCs, configure their parameters, load projects, monitor, diagnose and debug. The GX Works3 is the main tool that creates the PLC project for the process and makes all further changes during operation.
Mitsubishi Electric controllers are used in the water industry, to automate building engineering systems, in shipping, in food production and other areas, "commented Anton Dorfman, lead specialist in application analysis, Positive Technologies. - Most of the vulnerabilities found are related to mechanisms for preventing illegal access to programs in projects in the GX Works3 environment and executing programs in PLC. If an attacker receives a PLC project file, he will be able to extract the password from it, log in to the PLC and, for example, use the command to stop the controller. Like the exploitation of vulnerabilities that we identified earlier and reported in April August, such attacks can disrupt the technological process, although they have a completely different vector. |
The most dangerous vulnerability in CVE-2022-29830 was rated 9.1 out of 10 on the CVSS 3.1 scale. Its operation can lead to the disclosure of all information about the project. This can lead to loss of privacy (viewing), theft or substitution of project files. Overwriting project files can result in an unauthorized change or a process plan violation.
The CVE-2022-25164 vulnerability was rated 8.6 out of 10 on the CVSS 3.1 scale. If an attacker receives a file with the project, he will be able to extract the password from it to connect to the PLC.
The exploitation of five vulnerabilities CVE-2022-29825 (rating 5.6), CVE-2022-29826 (6.8), CVE-2022-29827 (6.8), CVE-2022-29828 (6.8), CVE-2022-29829 (6.8) can lead to the disclosure of sensitive information. Based on it, an unauthorized user can gain illegal access to projects in the GX Works3 and carry out unauthorized execution of programs in the PLC.
To minimize the risks associated with these vulnerabilities, users need to follow Mitsubishi Electric's recommendations published in the safety notice, including installing the latest version of the GX Works3 engineering software with patches.
This is the final part of a large Mitsubishi PLC safety study carried out by experts led by Anton Dorfman. The vulnerability report was sent to the vendor a year ago - in December 2021. On its basis, Mitsubishi Electric systematically closes vulnerabilities (April, August), increasing the level of security of its products.
Fixing two vulnerabilities in controllers
Expert Positive Technologies Anton Dorfman discovered two vulnerabilities Mitsubishi in the MELSEC iQ-F series controllers - these devices are used in and, food in light industry to woodworking printing houses, water management, to navigation automate building engineering systems and in other areas. This was reported on August 16, 2022 by Positive Technologies.
As of August 2022, Mitsubishi has produced over 17 million compact PLCs.
An intruder acting remotely could cause a denial of service to Mitsubishi controllers by sending specially crafted packets. An attack of this type will negatively affect the production process - it will disrupt it or lead to a long stop. The latter is an unacceptable event for most enterprises: in some cases, a re-launch can cost a significant amount, - 'said Vladimir Nazarov, head of the safety department of industrial control systems at Positive Technologies
|
vulnerability The CVE-2022-25161 was considered more dangerous (score 8.6 on the CVSS v3.1 scale). Exploitation of this vulnerability allows you to read and write outside the allowed memory range. Writing random values leads to an integer overflow, which causes a denial of service to the device. The second vulnerability, CVE-2022-25162 also associated with the risk of a DoS attack, is less dangerous (a reboot is not needed to restore the affected controller, the vulnerability does not affect other system components) - it received a rating of 5.3.
To reduce the risk of exploiting vulnerabilities, the vendor issued recommendations and presented an updated firmware in which the problems were fixed. To prevent attacks in cases where Internet access is required, Mitsubishi recommends using firewalls or a virtual private network (VPN). In addition, the company's specialists advise using the IP filter function to limit connections to products and prevent access from unreliable networks or nodes.
To analyze the security of production systems, we also recommend using cyber polygons, such as The Standoff 365 platform, are modern solutions that allow you to check the possibility of attacks on systems without disrupting the technological process. - noted Vladimir Nazarov
|