Positive Technologies: vulnerabilities in Mitsubishi Electric engineering utilities could threaten the workflow

Bugs were found in GX Works3 and MX OPC UA Module Configurator-R

Positive Technologies experts Anton Dorfman, Dmitry Sklyarov, Vladimir Nazarov, and Ilya Rogachev have identified seven vulnerabilities in software for Mitsubishi Electric industrial controllers. Exploitation of these vulnerabilities allowed unauthorized users to access MELSEC iQ-R/F/L series CPU modules and the MELSEC iQ-R series OPC UA server module.

GX Works3 engineering software and the MX OPC UA Module Configurator-R utility are used to program Mitsubishi Electric PLCs (programmable logic controllers), configure their parameters, load projects, and perform monitoring, diagnostics, and debugging. GX Works3 is the main tool for creating the PLC project for the workflow and making all subsequent changes during operation.

"Mitsubishi Electric controllers are used in the water industry, in the automation of engineering systems for buildings, in shipping, in food production, and in other areas," commented Anton Dorfman, Lead Application Analysis Expert, Positive Technologies. "Most of the identified vulnerabilities are related to the mechanisms for preventing illegal access to programs in projects in the GX Works3 environment and the execution of programs in PLCs. If an attacker gets hold of a PLC project file, they can extract the password from it, log in to the PLC, and, for example, use the controller stop command. Like the exploitation of the vulnerabilities we detected earlier and reported in April and August, such attacks can disrupt the workflow, although they have a completely different vector."

The most dangerous vulnerability, CVE-2022-29830, scored 9.1 out of 10 on the CVSS 3.1 scale. Its exploitation can lead to disclosure of all project information. This, in turn, can result in the loss or viewing of confidential data, theft or substitution of project files. If project files are substituted, a consequence can be unauthorized modification or disruption of the workflow.

The vulnerability CVE-2022-25164 scored 8.6 out of 10 on the CVSS 3.1 scale. If an attacker gets hold of a project file, they will be able to extract the password and connect to the PLC.

Exploitation of the five vulnerabilities CVE-2022-29825 (score 5.6), CVE-2022-29826 (6.8), CVE-2022-29827 (6.8), CVE-2022-29828 (6.8), and CVE-2022-29829 (6.8) can lead to disclosure of sensitive information. On this basis, an unauthorized user can gain illegal access to projects in GX Works3 and perform unauthorized execution of programs in the PLC.

To mitigate the risks associated with these vulnerabilities, users should read and implement Mitsubishi Electric’s security advisory, including installing the latest patched version of GX Works3.

Mitsubishi is in the top three largest manufacturers of industrial controllers in the world, with more than 17 million PLC units sold to date.

This is the final part of our major study of the security of Mitsubishi PLCs, carried out by our experts under the guidance of Anton Dorfman. The vulnerability report was sent to the vendor in December 2021. Mitsubishi Electric has used it to systematically close the vulnerabilities identified (April, August), thereby improving the security of its products. After the vendor released information about the vulnerabilities, Anton Dorfman presented the report at the HighLoad++ 2022 conference.

Note that in December 2022 the PT Industrial Security Incident Manager (PT ISIM) system for deep analysis of technological traffic was supplemented with support for the MELSOFT protocol and expanded support for SLMP. The update provides expanded support for Mitsubishi Electric protocols and identification of vulnerabilities.