Developers: | Mitsubishi Electric |
Branches: | Petroleum industry, Chemical industry |
Technology: | APCS |
2024: Addressing Five Remote Code Execution Vulnerabilities
Positive Technologies expert Anton Dorfman has identified five vulnerabilities in the MELSEC System Q and MELSEC System L series PLC processor modules. This equipment can be used in the chemical industry, for the production of semiconductors, building automation and other areas. In Russia, MELSEC System Q controllers are used, in particular, in the oil and gas industry. Mitsubishi Electric is one of the top three in the global industrial controller market and has produced over 17 million compact PLCs. The vendor was notified of vulnerabilities as part of a responsible disclosure policy, took measures to reduce threats and planned to release a software update . Positive Technologies reported this on May 22, 2024.
All five vulnerabilities are of the most dangerous type - remote code execution (RCE). By remotely exploiting them, an attacker could gain full control over the Mitsubishi Electric PLC and the technological process they control. An attacker would be able to change the PLC firmware code or implement additional functions to manipulate the control program (project) loaded into the controller. Such attacks, if successful, could lead to failures in technological processes in chemical, oil and gas and other areas. To exploit the discovered vulnerabilities, it was enough for an attacker to have network access to the controller, "said Anton Dorfman, principal firmware security researcher at Positive Technologies Application Analysis. |
Vulnerabilities CVE-2024-0802, CVE-2024-0803, CVE-2024-1915, CVE-2024-1916 and CVE-2024-1917 (BDU:2024-02053, BDU:2024-02214, BDU:2024-02215, BDU:2024-02216, BDU:2024-02217) received the same rating - 9.8 points on the CVSS 3.0 scale, which means a critical level of danger.
Data PT Expert Security Center shows the presence Internet of IP several hundred vulnerable Mitsubishi Electric MELSEC System Q controllers at the time of publication. The most such equipment is in (Japan 56%), even followed by (6% USA), China South Korea Taiwan Canada Poland Great Britain (Brazil 5.5%), (Germany 5.5%), (5.5%), (4.5%), (4%), (2%), (1.5%), (1.5%), (1.5%), (Russia 1%), (Austria 1%), (1%). Netherlands Thailand
The availability of these devices to attackers was due to configuration errors. The real number of vulnerable controllers could be greater.
To reduce the risk of exploiting these vulnerabilities, Mitsubishi Electric recommends using a firewall and virtual private network (VPN). In addition, it is necessary to restrict physical access to controllers, workstations and network devices that can communicate with the PLC.