Successful exploitation of these vulnerabilities could lead to accidents and production interruptions at industrial facilities.
Dubai, UAE, May 27, 2024: Positive Technologies announced that they discovered five vulnerabilities in Mitsubishi Electric’s MELSEC System Q and MELSEC System L series PLC processor modules. These modules are used in the chemical industry, semiconductor production, building automation, and other industries. Mitsubishi Electric is one of the top three largest global manufacturers of industrial controllers, with over 17 million compact PLCs produced [1]. The company was notified of the vulnerabilities under its responsible disclosure policy, mitigated the consequences, and scheduled a software update.
“All five vulnerabilities were classified as the most dangerous type: remote code execution (RCE). Attackers can exploit them remotely to gain full access to Mitsubishi Electric PLCs and the ICS resources they control. Attackers are allowed to change the PLC firmware code and execute other functions to manipulate the control application program downloaded into the controller. Attacks of this sort can lead to disruptions in ICS resources in the chemical, oil and gas, and other industries. To exploit these vulnerabilities, all attackers need network access to the controller,” notes Anton Dorfman, Principal Firmware Security Researcher in the Positive Technologies Application Analysis Department, who discovered these vulnerabilities.
The vulnerabilities CVE-2024-0802, CVE-2024-0803, CVE-2024-1915, CVE-2024-1916 и CVE-2024-1917 have the same CVSS 3.0 score of 9.8 (critical severity).
According to the monitoring data of the Positive Technologies expert center, special online search engines were able to detect the IP addresses of more than 200 vulnerable Mitsubishi Electric MELSEC System Q controllers. Most of the equipment is used in Japan (56%), followed by the U.S. (6%), China (5.5%), South Korea (5.5%), Taiwan (5.5%), Canada (4.5%), Poland (4%), the UK (2%), Brazil (1.5%), Germany (1.5%), Russia (1.5%), Austria (1%), the Netherlands (1%), and Thailand (1%). A potential attacker could access these devices due to configuration errors, and the real number of vulnerable controllers could be higher.
To reduce the risk of vulnerability exploitation by attackers, Mitsubishi Electric recommends using a firewall and VPN and limiting physical access to controllers, workstations, and network devices that can communicate with the PLC.
The five new vulnerabilities in MELSEC System Q and MELSEC System L were discovered during large-scale research on Mitsubishi Electric controllers. In 2022, Positive Technologies experts helped Mitsubishi Electric fix vulnerabilities in FX controllers and engineering software (GX Works3 and the MX OPC UA Module Configurator-R utility). After the company published information about the vulnerabilities, the research report was presented at Nullcon 2023.
Positive Technologies suggests using PT Industrial Security Incident Manager, an in-depth industrial traffic analysis system, for detecting attempts to exploit ICS vulnerabilities. PT ISIM recognizes the communication protocols of Mitsubishi Electric MELSEC controllers, analyzes commands, and informs the security team about suspicious events and incidents.
Also read: Unveiling the Ethical Imperatives: Navigating the Intersection of AI and Cybersecurity
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.
