Nozomi detects cybersecurity flaws in GX Works3 that threaten Mitsubishi Electric safety PLC security
Nozomi Networks uncovered three additional vulnerabilities that affect Mitsubishi Electric GX Works3, which in the worst-case scenario, may lead to the compromise of safety programmable logic controller (PLCs) with the only requirement being the possession of associated GX Works3 project files. Still unpatched by the vendor, the security flaws may allow an attacker to compromise safety PLCs provided that they gain access to one associated GX Works3 project file.
Tracked under CVE-2022-29831, CVE-2022-29832, and CVE-2022-29833, the vulnerabilities add to the existing five vulnerabilities that were disclosed by Nozomi last August. The vulnerabilities affect Mitsubishi’s safety PLCs that relate to the authentication of the MELSOFT communication protocol. The newly identified vulnerabilities affect GX Works3 versions 1.015R and later.
“The vendor has not been able to provide a fix for these vulnerabilities yet (Mitsubishi Electric will release a patch for CVE-2022-29831 in the near future which will mitigate the risk of CVE-2022-29832 and CVE-2022-29833), but has documented a series of mitigations in the corresponding advisory,” the Nozomi Networks Labs researchers wrote in a blog post.
“Considering the potential impact of these vulnerabilities, similar to last year’s issues, our recommendation remains to carefully assess your security posture and consider applying the proposed mitigations,” the post added. “For the same reason, we are not releasing in-depth technical details in this article but will provide the necessary information for asset owners to understand the risk and prepare in advance to potential cyberattacks.”
Engineering software represents a critical component in the security chain of industrial controllers. Should any vulnerabilities arise in them, adversaries may abuse them to ultimately compromise the managed devices and, consequently, the supervised industrial process.
Nozomi identified that while assessing the entire security posture of a PLC, the analysis of the companion engineering software plays a crucial role. “As PLCs can be extensively managed through the engineering software (upload and download of programs from/to the PLC, diagnosis and troubleshooting of software and hardware issues, maintenance operations, etc.), it is no surprise that the engineering software can become an appealing target for attackers: by directly compromising them, or the computer on which they are running, threat actors can easily obtain control of the managed controller.”
This is not a far-fetched scenario, as this vector is exactly the one leveraged by Stuxnet through its entire chain to ultimately compromise the centrifuges used in Iranian nuclear facilities, the researchers added.
“Notably, GX Works3 is the programming and maintenance software offered by Mitsubishi Electric and specifically designed for the MELSEC iQ-R and MELSEC iQ-F Series control system,” the post said. “GX Works3 project files targeting safety CPU modules are encrypted at-rest and require a username-password pair to open them, which the user defines upon project creation. We decided to assess this security model to understand if there are any opportunities for attackers to circumvent it, and determine the exact consequences of these possible pitfalls on related PLCs,” it added.
Nozomi identified that to exploit these flaws, an attacker is required to obtain just one safety PLC project file. “This may occur in several ways: through a misconfigured file server, by accessing a shared computer, or by eavesdropping an unprotected communication, for instance. If that happens, they may immediately abuse the first two issues and obtain confidential information included in the project file about the project itself, as well as about the usernames of the accounts registered on the related safety CPU module,” the post added.
However, if an asset owner has opted to re-use the same credentials for accessing the safety CPU module to also protect the related project file, a much more dangerous scenario would occur. “As a matter of fact, in this situation, an attacker may chain all three issues and obtain a remarkably powerful attack primitive that would allow them to directly access the safety CPU module. This would give them the potential opportunity to compromise it and, therefore, disrupt the managed industrial process,” the researchers said.
While waiting for a patch from Mitsubishi Electric, which will arrive in the near future, Nozomi has called upon asset owners and operators to restrict access to safety CPU project files by untrusted parties as much as possible, adequately protect safety CPU project files, while both in transit and at rest, change all weak passwords (if any) set on safety CPU modules, and never re-use the same credentials to open safety CPU project files and to access the safety CPU modules.
Last week, Nozomi also identified that the number of malware samples found in Internet of Things (IoT) devices increased over the past few years, making these devices become easy targets for hackers. The fact that the IoT default credentials are not being changed and the IoT devices are not being properly configured and/or are not updated, as often as they should, has led to the hardware equipment being targeted by adversaries.
Related
