The Cybersecurity and Infrastructure Security Agency (CISA) issued a special advisory on Mitsubishi MELSEC controller vulnerability CVE-2023-1424, apart from the list of ICS vulnerability alerts issued two days before that.
Cisco Talos found this critical vulnerability CVE-2023-1424 in the Mitsubishi MELSEC iQ-F FX5U programmable logic controller, resulting from a buffer overflow condition.
The affected device, part of Mitsubishi’s MELSEC PLC line, combines a processor, power supply, Ethernet, and I/O points.
Exploiting the vulnerability involves sending a specially crafted network packet to the device’s MELSOFT Direct functionality.
This buffer overflow can lead to a denial-of-service situation in the parsing task of the MELSOFT Direct protocol, potentially enabling remote code execution by malicious actors.
To address the issue posed by this vulnerability CVE-2023-1424, Mitsubishi released updates (version 1.240 and 1.260) for affected customers, urging immediate installation.
Industrial Automation relies on Control Systems to regulate the functioning of devices in real-time.
These systems, such as RTUs (Remote Terminal Units), PLCs (Programmable Logic Controllers), and DCSs (Distributed Control Systems), employ closed-loop control mechanisms.
Mitsubishi MELSEC controller vulnerability: In a nutshell
“The iQ-F FX5U is one offering in Mitsubishi’s MELSEC PLC line of hardware that comes with a built-in processor, power supply, Ethernet and 16 I/O points,” said a CISO Talos assessment report of the vulnerability.
Users can configure this PLC to host multiple network services, such as an HTTP Server, FTP Server, FTP Client, MODBUS/TCP interface and other Mitsubishi-specific protocols.
On May 23, 2023, Mitsubishi Electric Corporation disclosed a critical vulnerability in their MELSEC Series CPU module.
The vulnerability, rated with a CVSS v3 score of 10.0, poses a significant threat as it can be exploited remotely with low attack complexity.
The issue stems from classic buffer overflow vulnerabilities present in the module. Mitsubishi Electric Corporation is actively addressing this vulnerability and recommends immediate attention to mitigate potential risks.
“A remote attacker may cause a denial of service (DoS) condition or execute malicious code on a target product by sending specially crafted packets,” said the Mitsubishi vulnerability alert.
“However, the attacker needs to understand the internal structure of products to execute malicious code,” it added.
Although the execution of malicious code requires a deep understanding of the product’s internal structure, the impact could be significant.
Risk evaluation of the Mitsubishi MELSEC controller vulnerability
The successful exploitation of the Mitsubishi MELSEC controller vulnerability in the MELSEC Series CPU module could lead to severe consequences. Remote attackers can disrupt the normal operation of the targeted product or execute malicious code.
“This buffer overflow condition could lead to a denial-of-service condition within the RTOS task responsible for parsing the MELSOFT Direct protocol, and potentially give the adversary the ability to execute remote code on the targeted device,” said the CISCO Talos report.
While executing malicious code is challenging due to the requirement of understanding the product’s internal structure, the potential impact and risk associated with this vulnerability should not be ignored.
“Users are encouraged to update these affected products as soon as possible: Mitsubishi Electric Corp. MELSEC iQ-F FX5U, versions 1.240 and 1.260,” urged the CISCO Talos report.
“Talos tested and confirmed these versions of the controller could be exploited by this vulnerability, however, Mitsubishi also stated in its advisory that versions 1.220 and later are affected.”
Mitsubishi MELSEC controller vulnerability: Technical details
The vulnerability affects specific models of the MELSEC Series, including FX5U-xMy/z and FX5UC-xMy/z. These models must have a serial number of 17X**** or later and firmware version 1.220 and later.
The vulnerability stems from a classic buffer overflow, where input buffers are copied without proper size checks. Exploiting this vulnerability may result in a denial-of-service condition or allow the execution of malicious code.
The vulnerability has been assigned CVE-2023-1424, and its CVSS v3 base score is 10.0.
Mitsubishi Electric has responded swiftly by developing firmware version 1.290 to address the vulnerability.
The company recommended users to update their MELSEC Series CPU modules with this firmware release. Additionally, the company recommended mitigation measures such as employing firewalls or virtual private networks (VPNs) to prevent unauthorized access when connected.
It also suggested operating the affected product within a secure local area network (LAN) environment and configuring firewalls to block access from untrusted networks and hosts.
Utilizing the IP filter function to restrict access from untrusted hosts and restricting physical access to LANs connected to the vulnerable products are also advised.
Cybersecurity and Infrastructure Security Agency (CISA) further encourages adherence to their control systems security best practices, available on the official ICS webpage at cisa.gov/ics.
