Multiple vulnerabilities found in Mitsubishi controllers

Mitsubishi recommends using encryption and firewalls. This will help minimize the risk of the detected vulnerabilities being exploited

FX controllers are used for automating engineering systems of buildings, in woodworking, printing houses, in food and light industry, water management, and shipping. Mitsubishi ranks third in the global industrial controller market, having produced over 17 million compact PLCs 1.

The problems were found in the all-in-one compact controllers FX5U MELSEC iQ-F from the MELSEX FX line. The vulnerabilities (including two high-severity ones) were discovered by Positive Technologies experts Anton Dorfman, Ilya Rogachev, Dmitry Sklyarov, and Artur Akhatov.

"Some of the vulnerabilities are associated with the risk of gaining access to sensitive information in the PLC. For example, attackers can find out the password hash value by intercepting traffic or using local access to certain files. Having a password hash and exploiting the detected vulnerabilities, attackers can bypass the built-in security mechanisms, log in to the PLC and, for example, use the controller stop command or gain access to protected files. Any such scenario can negatively affect production," explains Vladimir Nazarov, Head of ISC Security, Positive Technologies.

In his expert view, industrial enterprises often use the same passwords to access different resources (in practice, there were workshops in which all passwords were the same); therefore, by restoring the password value from the intercepted hash, a cybercriminal can gain access to other nodes of the technological process. "And this poses a risk of ICS 2 compromise and a threat to the planned operation of the enterprise," notes Vladimir Nazarov.

To exploit the identified vulnerabilities, it is enough for an attacker to have network access to the controller or, in the case of network segmentation, to be in a local network with the PLC. The severity of the vulnerabilities varies from 5.9 to 7.4 (CVSS v3.1): CVE-2022-25155 (5.9), CVE-2022-25156 (5.9), CVE-2022-25159 (5.9), CVE-2022-25160 (6.8), CVE-2022-25157 (7.4), and CVE-2022-25158 (7.4).

All the models and versions of the following modules contain the vulnerabilities:

  • FX5U(C) module
  • FX5UJ CPU module

To reduce the risk of vulnerability exploitation, follow the vendor's recommendations. PT Industrial Cybersecurity Suite (PT ICS), Russia's first comprehensive industrial cybersecurity platform, helps identify vulnerable devices and nodes in industrial networks and continuously monitor the security of production facilities. It includes products for security event analysis, vulnerability management, as well as deep analysis of traffic and malware targeting automation systems.

  1. Programmable logic controllers (PLCs)
  2. Industrial Control System