Developers: | Mitsubishi Electric |
Branches: | Information Technology |
2022: Identifying holes in engineering software
On November 29, 2022, the US Cybersecurity and Infrastructure Protection Agency (CISA) warned that the Mitsubishi Electric GX Works3 engineering software contains numerous vulnerabilities that theoretically allow attackers to gain unauthorized access to certain modules.
The most serious "holes," information about which is contained in the CVE-2022-25164 and CVE-2022-29830 security bulletins, give cybercriminals the opportunity to interact with processor modules. Meanwhile, a CVE-2022-29831 flaw discovered by Nozomi Networks can be exploited to provide direct access to a secure CPU module and disrupt production processes.
Engineering software is a critical component in industrial controller security infrastructure. If it contains any vulnerabilities, attackers can use this to ultimately compromise managed devices and, therefore, the controlled production process, experts say. |
In total, CISA describes ten vulnerabilities. Some of them are associated with the use of a hard-coded cryptographic key, several more with the use of a hard-coded password. In addition, problems were found regarding the storage of confidential information in text form. A flaw has also been identified regarding insufficient protection of credentials. The report said successful exploitation of these vulnerabilities could allow unauthorized users to access the iQ-R/F/L series MELSEC processor modules and the MELSEC iQ-R series OPC UA server module. Attackers can also view certain data and execute this or that program code.[1]