1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Mitsubishi Electric
- Equipment: EZSocket, FR Configurator2, GT Designer3 Version1(GOT1000), GT Designer3 Version1(GOT2000), GX Works2, GX Works3, MELSOFT Navigator, MT Works2, MX Component, MX OPC Server DA/UA (Software packaged with MC Works64)
- Vulnerabilities: Missing Authentication for Critical Function, Unsafe Reflection
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to disclose, tamper with, destroy or delete information in the products, or cause a denial-of-service (DoS) condition on the products.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Mitsubishi Electric FA Engineering Software Products, are affected:
- EZSocket: Versions 3.0 and later
- FR Configurator2: All versions
- GT Designer3 Version1(GOT1000): All versions
- GT Designer3 Version1(GOT2000): All versions
- GX Works2: Versions 1.11M and later
- GX Works3: All versions
- MELSOFT Navigator: Versions 1.04E and later
- MT Works2: All versions
- MX Component: Versions 4.00A and later
- MX OPC Server DA/UA (Software packaged with MC Works64): All versions
3.2 Vulnerability Overview
3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306
A remote unauthenticated attacker may be able to bypass authentication by sending specially crafted packets and connect to the products.
CVE-2023-6942 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
3.2.2 USE OF EXTERNALLY-CONTROLLED INPUT TO SELECT CLASSES OR CODE (‘UNSAFE REFLECTION’) CWE-470
An attacker may be able to execute a malicious code by remotely calling a function with a path to a malicious library while connected to the products. As a result, unauthorized users may disclose, tamper with, destroy or delete information in the products, or cause a denial-of-service (DoS) condition on the products.
CVE-2023-6943 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Japan
3.4 RESEARCHER
Reid Wightman of Dragos reported these vulnerabilities to Mitsubishi Electric.
4. MITIGATIONS
Mitsubishi Electric recommends users take the following mitigation measures to minimize the risk of exploiting these vulnerabilities:
- When connecting your personal computer with the affected products to the internet, use a firewall, virtual private network (VPN), etc., to prevent unauthorized access and allow only trusted users to remote login.
- Use your personal computer with the affected products within a LAN and block access from untrusted networks and hosts.
- Restrict physical access to your computer using the affected products as well as to the personal computers and network devices that can communicate with it.
- Install antivirus software on your personal computer using the affected products and on the personal computers that can communicate with it.
- Don’t open untrusted files or click untrusted links.
For more information, see Mitsubishi Electric’s security advisory.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY
- January 30, 2024: Initial Publication