The Cybersecurity and Infrastructure Security Agency (CISA) has issued a special advisory on Mitsubishi MELSEC controller vulnerability CVE-2023-1424, joining the list of ICS vulnerability alerts issued before it. The critical vulnerability was discovered by Cisco Talos in the Mitsubishi MELSEC iQ-F FX5U programmable logic controller, resulting from a buffer overflow condition.
The affected device is part of Mitsubishi’s MELSEC PLC line, which combines a processor, power supply, Ethernet, and I/O points. Exploiting the vulnerability involves sending a specially crafted network packet to the device’s MELSOFT Direct functionality. This buffer overflow can lead to a denial-of-service situation in the parsing task of the MELSOFT Direct protocol, potentially enabling remote code execution by malicious actors.
To address the issue posed by this vulnerability, Mitsubishi has released updates (version 1.240 and 1.260) for affected customers, urging immediate installation. Industrial Automation relies on Control Systems to regulate the functioning of devices in real-time. These systems, such as RTUs (Remote Terminal Units), PLCs (Programmable Logic Controllers), and DCSs (Distributed Control Systems), employ closed-loop control mechanisms.
The iQ-F FX5U is one offering in Mitsubishi’s MELSEC PLC line of hardware that comes with a built-in processor, power supply, Ethernet, and 16 I/O points. Users can configure this PLC to host multiple network services, such as an HTTP Server, FTP Server, FTP Client, MODBUS/TCP interface, and other Mitsubishi-specific protocols.
On May 23, 2023, Mitsubishi Electric Corporation disclosed a critical vulnerability in their MELSEC Series CPU module. The vulnerability, rated with a CVSS v3 score of 10.0, poses a significant threat as it can be exploited remotely with low attack complexity. The issue stems from classic buffer overflow vulnerabilities present in the module.
Mitsubishi Electric Corporation is actively addressing this vulnerability and recommends immediate attention to mitigate potential risks. “A remote attacker may cause a denial of service (DoS) condition or execute malicious code on a target product by sending specially crafted packets,” warns the Mitsubishi vulnerability alert. The company advises that to execute malicious code, the attacker needs to understand the internal structure of the products.
Although the execution of malicious code requires a deep understanding of the product’s internal structure, the impact could be significant. The successful exploitation of the Mitsubishi MELSEC controller vulnerability in the MELSEC Series CPU module could lead to severe consequences. Remote attackers can disrupt the normal operation of the targeted product or execute malicious code.
“This buffer overflow condition could lead to a denial-of-service condition within the RTOS task responsible for parsing the MELSOFT Direct protocol, and potentially give the adversary the ability to execute remote code on the targeted device,” says the CISCO Talos report. Users are encouraged to update these affected products as soon as possible: Mitsubishi Electric Corp. MELSEC iQ-F FX5U, versions 1.240 and 1.260.
The vulnerability affects specific models of the MELSEC Series, including FX5U-xMy/z and FX5UC-xMy/z. These models must have a serial number of 17X**** or later and firmware version 1.220 and later. The vulnerability stems from a classic buffer overflow, where input buffers are copied without proper size checks. Exploiting this vulnerability may result in a denial-of-service condition or allow the execution of malicious code. The vulnerability has been assigned CVE-2023-1424, and its CVSS v3 base score is 10.0.
Mitsubishi Electric has responded swiftly by developing firmware version 1.290 to address the vulnerability. The company has recommended users to update their MELSEC Series CPU modules with this firmware release. Additionally, the company recommended mitigation measures such as employing firewalls or virtual private networks (VPNs) to prevent unauthorized access when connected. It also suggested operating the affected product within a secure local area network (LAN) environment and configuring firewalls to block access from untrusted networks and hosts.
Utilizing the IP filter function to restrict access from untrusted hosts and restricting physical access to LANs connected to the vulnerable products is also advised. Cybersecurity and Infrastructure Security Agency (CISA) further encourages adherence to their control systems security best practices, available on the official ICS webpage at cisa.gov/ics.
In conclusion, the Mitsubishi MELSEC controller vulnerability poses a significant threat to industrial control systems, and exploiting it can potentially lead to severe consequences. Therefore, users are advised to take the necessary measures, such as updating their firmware and employing mitigation strategies, to prevent unauthorized access and keep their devices secure.