overview
This week, two vulnerabilities were found in Mitsubishi Electric MELSEC Series Products. The first vulnerability (CVE-2023-1618) is an active debug code vulnerability with a CVSS score of 7.5. The flaw impacts WS0-GETH00200 and is exploitable remotely with a low attack complexity.
According to CISA’s advisory, if this vulnerability is successfully exploited, an attacker can bypass authentication and gain unauthorized access by connecting to the module through telnet. They can then reset the module or, under specific circumstances, manipulate its configuration, disclose sensitive information, or modify the firmware. The vulnerability affects all versions of MELSEC WS Series - WS0-GETH00200.
The second vulnerability (CVE-2023-1424) is a classic buffer overflow vulnerability and has a CVSS score of 10. The vulnerability impacts MELSEC Series CPU modules and is also exploitable remotely with low attack complexity. CISA’s advisory states that the affected MELSEC Series CPU modules contain a vulnerability that arises from copying buffers without proper input size verification. Exploiting the flaw can lead to a denial-of-service condition and allow malicious code execution.
The following MELSEC Series CPU modules are impacted:
- MELSEC iQ-F Series FX5U-xMy/z x=32,64,80, y=T,R, z=ES,DS,ESS,DSS: Serial number 17X**** or later, version 1.220 and later
- MELSEC iQ-F Series FX5UC-xMy/z x=32,64,96, y=T, z=D,DSS: Serial number 17X**** or later, version 1.220 and later
- MELSEC iQ-F Series FX5UC-32MT/DS-TS, FX5UC-32MT/DSS-TS, FX5UC-32MR/DS-TS: version 1.220 and later
If exploited, both vulnerabilities could have a devastating impact on the critical manufacturing industry worldwide. Avertium recommends that you patch or apply the appropriate workarounds/mitigations as soon as possible.
avertium's recommendations
Mitsubishi has released the following workarounds and mitigations for CVE-2023-1618:
- Set password for telnet sessions that are difficult for third parties to guess. The password can be up to 15 characters long. Note that "[space]" in the input string represents a single-byte space. Users can change the password for the telnet session of the affected product by using the telnet client and performing:
- Password setting:
- Enter "telnet[space]" followed by the IP address of the affected product and press the Enter key.
- When "Password" is displayed, press the Enter key without entering anything.
- When "telnet>" is displayed, enter "password[space]" followed by the desired password string and press the Enter key.
- Enter "quit" and press the Enter key.
- Confirm the password is set:
- After the Password setting process, enter "telnet[space]" followed by the IP address of the affected product and press the Enter key.
- When "Password" is displayed, enter the password string set in the Password setting process and press the Enter key.
- If "telnet>" is displayed, the password is set correctly.
- Enter "quit" and press the Enter key.
Alternatively, Mitsubishi Electric recommends that users take the following mitigation measures to minimize the risk of exploiting this vulnerability:
- Use a firewall, virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
- Use product within a local area network (LAN) and use firewalls to block access from untrusted networks and hosts.
- Restrict physical access to prevent untrusted devices from connecting to the LAN.
Mitsubishi has released the following workarounds and mitigations for CVE-2023-1424:
- Mitsubishi Electric has created firmware version 1.290 to address this issue and encourages users to update. The following should be referred to when updating: "5 FIRMWARE UPDATE FUNCTION" in the MELSEC iQ-F FX5 User's Manual (Application).
Mitsubishi Electric recommends that users take the following mitigation measures to minimize the risk of exploiting this vulnerability:
- Use a firewall or virtual private network (VPN) etc., to prevent unauthorized access when internet access is required.
- Use the product within a local area network (LAN) and use firewalls to block access from untrusted networks and hosts.
- Use IP filter function to block access from untrusted hosts.
- For details regarding the IP filter function, users can refer to "12.1 IP Filter Function" in the MELSEC iQ-F FX5 User's Manual (Ethernet Communication).
- Restrict physical access to the LAN that is connected by affected products.
INDICATORS OF COMPROMISE (IoCs)
At this time, there are no known IoCs associated with CVE-2023-1618 and CVE-2023-1424. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.
How Avertium is Protecting Our CUSTOMERS
- Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills.
- Avertium recommends utilizing our service for DFIR (Digital Forensics and Incident Response) to help you rapidly assess, contain, eradicate, and recover from a security incident like a malware attack.
- Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
SUPPORTING DOCUMENTATION