The Cybersecurity and Infrastructure Security Agency (CISA), on October 22, 2024, issued a new advisory targeting Industrial Control Systems (ICS). One of the most significant vulnerabilities highlighted in the advisory involves the product suites from ICONICS and Mitsubishi Electric.
These advisories are designed to inform ICS users and administrators of security vulnerabilities, exploits, and emerging threats that may affect their critical infrastructure.
Executive Summary of the ICS Advisory
The vulnerability in question is categorized under CVE-2024-7587 with a CVSS v3.1 base score of 7.8, reflecting its high severity. With a low complexity of attack, this vulnerability presents a serious concern for users of ICONICS Suite, including products like GENESIS64, Hyper Historian, AnalytiX, and MobileHMI (version 10.97.3 and earlier), as well as Mitsubishi Electric’s MC Works64 across all versions.
If successfully exploited, this vulnerability could lead to data breaches, unauthorized data tampering, and in the worst-case scenario, denial-of-service (DoS) conditions.
Understanding the ICONICS and Mitsubishi Electric Vulnerability
At the core of the issue is incorrect default permissions (CWE-276), which allow unauthorized users to gain access to critical data. This could result in the disclosure of confidential information, manipulation of sensitive data, or potential denial-of-service events due to misconfigured access permissions.
While this vulnerability is not exploitable remotely, meaning it requires local access to the system, the impact is considerable, especially given that both ICONICS and Mitsubishi Electric products are widely deployed across industries worldwide, particularly within the critical manufacturing sector.
Affected Products
The advisory lists specific products impacted by this vulnerability:
- ICONICS Suite, which includes the products GENESIS64, Hyper Historian, AnalytiX, and MobileHMI, version 10.97.3 and earlier.
- Mitsubishi Electric MC Works64, which is affected across all versions.
Risk Evaluation
The vulnerability presents a moderate to high risk due to the potential for critical consequences. While the vulnerability is not exploitable remotely and does require local access, the incorrect default permissions open the door to data tampering, information disclosure, and service interruptions. Given the growing reliance on ICS across industries, such vulnerabilities can pose serious challenges to operational continuity and data integrity.
Technical Breakdown
The issue stems from default permissions being improperly assigned. Specifically, unauthorized users could potentially gain excessive access to directories that store critical data. This poses a threat not just to individual systems but also to interconnected ICS environments where even localized breaches can ripple across entire infrastructures.
The assigned CVSS vector string for this vulnerability is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
This breakdown reflects the fact that the attack requires local access (AV) and has a low complexity (AC), with the potential to significantly compromise the system’s confidentiality, integrity, and availability.
Mitigations
To address this vulnerability, ICONICS and Mitsubishi Electric recommend several mitigation strategies for their users. For ICONICS products, the following steps are critical:
- Use Version 10.97.3 CFR1 or Later: For new systems, upgrade to this version or later, which is not vulnerable to the issue.
- For Existing Systems: If using version 10.97.3 or earlier, avoid installing the included GenBroker32. Instead, download and install the latest version of GenBroker32 from ICONICS.
- Verify and Correct Folder Permissions: Administrators should review the permissions for the C:\ProgramData\ICONICS folder. If the folder provides access to the “Everyone” group, remove this permission by following a step-by-step process outlined in the advisory.
For Mitsubishi Electric MC Works64, the same principles of permissions review and security patching apply. Administrators are encouraged to:
- Regularly apply security patches as they become available.
- Continuously monitor access permissions and ensure that overly broad permissions (like “Everyone” access) are removed.
Proactive Defense Recommendations from CISA
CISA offers a wealth of resources to help ICS users defend against vulnerabilities like CVE-2024-7587. It is critical for organizations to take a proactive approach to cybersecurity, incorporating defense-in-depth strategies that include:
- Conducting a risk assessment and proper impact analysis before deploying mitigation strategies.
- Regularly reviewing and implementing best practices for ICS cybersecurity, such as those outlined in CISA’s Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies document.
- Monitoring the ICS webpage at CISA for the latest security advisories, guidance, and technical resources.
Importance of Reporting and Vigilance
While no public exploitation of this vulnerability has been reported to CISA so far, the agency urges organizations to remain vigilant. Should any malicious activity be suspected, organizations are advised to follow their established incident response procedures and report findings to CISA for correlation and tracking. Early detection and quick action can significantly reduce the potential impact of vulnerabilities within critical infrastructure systems.
By following the steps outlined in this advisory, users can reduce the risk of exploitation and ensure the resilience of their ICS infrastructure against potential threats.
