HQ/EMEAFind out how we can help your business
Researchers have identified three vulnerabilities within the Mitsubishi software that threat actors could exploit to hack safety systems. According to an investigation, flaws are found in Mitsubishi Electric’s GX Works3 engineering workstation software.
Mitsubishi’s GX Works3 is the configuration and programming service provided by Mitsubishi Electric for its IQ-R and MELSEC IQ-F programmable logic controllers (PLCs). The researchers were able to identify three flaws tracked by them as CVE-2022-29831, CVE-2022-29832 and CVE-2022-29833.
These vulnerabilities could allow a malicious entity to acquire information from GX Works3 project files to infect connected safety CPU modules.
The project files for the modules are encrypted, and a user-configured username and password are required to access them. However, the researchers found cleartext storage, hardcoded password, and insufficient credentials protection capabilities that expose these credentials and other critical data.
Furthermore, a threat actor could obtain a project file from a shared computer or a compromised file server or intercept unprotected communications. Once acquired, the actors could abuse the flaw to get the needed info for hacking the industrial control systems.
The first two flaws in the Mitsubishi software could gather confidential information.
Further investigation revealed that an adversary could exploit the first two flaws in the Mitsubishi software and obtain confidential information featured in the project file and the project itself. Hence, an attacker could also include the usernames of the accounts registered on the linked safety CPU module in the collected data.
The company addresses its asset owners to not use the same credentials for accessing the safety CPU module to protect the related project file and to avoid a more dangerous scenario if an exploit happens.
Mitsubishi Electric has published an advisory explaining the vulnerabilities. In addition, CISA has also released its separate advisory to notify organisations regarding these products. The announcement from both entities elaborated on seven other flaws that affect the same software.
Unfortunately, Mitsubishi has yet to dispatch fixes and has only given mitigation processes and workarounds to address the situation. Such device users should be advised of these mitigation tactics to avoid any possible abuse from cybercriminals.
