Industrial cybersecurity company Nozomi Networks Labs has identified the presence of five vulnerabilities affecting Mitsubishi’s safety programmable logic controller (PLCs) that relate to the authentication of the MELSOFT communication protocol.
An initial set of vulnerabilities were disclosed to the vendor through Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in January this year, while a second set was disclosed more recently through the same process, according to Nozomi. Currently, patches for these vulnerabilities are currently not available.
However, Nozomi advised asset owners to consider protecting the link between the engineering workstation and the PLC, such that an attacker cannot access the MELSOFT authentication or authenticated packets in cleartext. It also suggested securing access to the PLC, such that an attacker cannot actively exchange authentication packets with the PLC.
Nozomi is not currently revealing the technical details of the vulnerabilities or providing the PoCs (Proof of Concept) that it developed to demonstrate potential malicious exploits. “We are instead revealing general details out of concern that technical details could be disclosed in some form. This would leave asset owners without enough information to assess their security posture and take timely action before a potential attack occurs,” it wrote in a Nozomi blog post.
“The vendor has provided a series of mitigations which are described in the corresponding advisories. Considering the potential impact of these vulnerabilities we suggest you carefully assess your security posture and consider applying the proposed mitigations,” Nozomi added.
Toward the end of last year, Nozomi Networks Labs began a research project on MELSOFT, the communication protocol used by Mitsubishi safety PLCs and GX Works, the corresponding engineering workstation software. The company focused its analysis specifically on the authentication implementation, as it noticed that similar operational technology (OT) products from other vendors contain vulnerabilities in the attack surface.
In addition to disclosing the vulnerabilities to Mitsubishi, Nozomi also proactively shared the PoCs it developed and all the technical details of its research with the Japanese vendor. Mitsubishi analyzed Nozomi’s findings, and after acknowledging the vulnerabilities, devised a strategy to patch the issues.
The Mitsubishi MELSOFT authentication vulnerabilities were considered as two threat models in this research. In the first instance, the attacker is limited and can only exchange packets with the target PLC, while in the second instance, apart from exchanging packets, the attacker is also capable of sniffing the network traffic between the engineering workstation (EWS) and the target PLC.
In the research carried out, Nozomi analyzed MELSOFT communication protocol over TCP port 5007. Authentication is implemented with a username/password pair. In this scheme, the EWS first sends a packet containing the username in cleartext and receives a reply from the PLC. The reply contains a field that communicates to the EWS whether the username is valid for the PLC. If the username is valid, the EWS will send a second packet containing a hash generated from a set of elements. One of these elements is the cleartext password, according to Nozomi.
Nozomi revealed that the exposure of the username in cleartext over the wire has been addressed with a series of mitigations. “We instead tried to understand whether the list of valid usernames could be revealed through brute-force techniques,” Nozomi said. “To verify our hypothesis, we implemented a PoC, and the result is that usernames are effectively brute-forceable. The limiting factor for an attacker is the maximum length for a username, which is 20 characters,” it added.
After Nozomi applied the MELSOFT primitives to perform authentication, it extended its initial PoC with a password brute-forcer that, given a valid user, would try a combination of passwords repeatedly until the correct one is found. Fortunately, in this case, there’s an anti-brute-force mechanism in place that effectively blocks an attacker. However, the implementation of the mechanism is overly restrictive. It doesn’t just block a potential attacker using a single IP, it blocks any user from any IP from logging in for a certain timeframe, Nozomi added.
The consequence of this design is that if an attacker sends a limited number of passwords to the PLC, enough to trigger the anti-brute-force protection, all users with legitimate credentials are effectively blocked from authenticating with the device, it added.
If an attack of this type is taking place, the asset owner can either block the password brute-force packets from reaching the PLC and then waiting for the time window to expire before authenticating or physically rebooting the device and then authenticating immediately after the reboot process has completed.
Nozomi also detected two instances in which a “secret derived” from the cleartext password is leaked in a packet. An attacker that can read such a packet will be able to take this secret and use it to successfully become authenticated with the PLC. Due to the way the authentication is implemented, this secret is functionally equivalent to the cleartext password. Nozomi also implemented a PoC that performs a successful authentication with this secret, rather than using the password in cleartext.
A further vulnerability concerning how sessions are managed is currently under discussion, Nozomi warned asset owners.