Mitsubishi Electric FA Engineering Software: GX Works3 Vulnerabilities

By Arthur Yamamoto on November 1, 2023

Executive Summary

On Tuesday, September 26, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released an industrial control system advisory (ICSA-23-269-03) regarding vulnerabilities found in Mitsubishi Electric’s FA Engineering Software Products. More specifically, the products with the GX Works3 software. The vulnerability discovered has a low attack complexity due to Incorrect Default Permissions set in the software. This could allow a local attacker to execute code, resulting in information disclosure and tampering with information.

Background

On Tuesday, September 26, 2023, researcher 01dGu0 of ZHEJIANG QIAN INFORMATION & TECHNOLOGY CO LTD reported this vulnerability to Mitsubishi Electric which affects the GX Works3 engineering software. GX Works3 is the latest generation of programming and maintenance software offered by Mitsubishi Electric, designed explicitly for the MELSEC iQ-R and MELSEC iQ-F Series control system. It includes many new features and technologies to ensure a trouble-free engineering environment solution. It is used for the configuration, programming, and maintenance of Mitsubishi PLC (Programmable Logic Controller) devices. Engineering software is sometimes considered a fundamental part of the control system in addition to the hardware components that it services.

Vulnerabilites

The single vulnerability identified was published to the National Institute of Standards and Technology (NIST) under the Common Vulnerabilities and Exposures number (CVE) CVE-2023-4088 with a  Common Vulnerability Scoring System (CVSS) v3 score of 9.3, which is critical. The vulnerability is exploitable due to permission issues within the software, making code execution feasible in all versions of Mitsubishi Electric GX Works3. Furthermore, an attacker can cause information leakage, manipulate or delete data, and create a denial-of-service problem.

Similarly, in 2022, CVE-2022-29830 identified the existence of a Hard-coded Cryptographic Key in Mitsubishi Electric GX Works3 versions from 1.000A to 1.095Z and Motion Control Setting (GX Works3 related software) versions from 1.000A and later. This vulnerability allowed an unauthenticated, remote attacker to disclose or tamper with sensitive information. As a result, unauthenticated attackers may acquire information about project files illegally.

Significance

The GX Works3 impacts the control and monitoring of various processes, including electricity distribution, water treatment, transportation, and manufacturing. Exploiting these flaws might provide hostile actors with unauthorized access to ICS/PLC networks, possibly modifying a system’s operational settings or data. An attacker, for example, may change temperature control setpoints in a chemical facility, causing harmful reactions or mishaps. They might cause havoc on power systems by tampering with load-balancing algorithms or command-generating processes. An attacker might inflict physical damage to equipment or create system malfunctions that result in downtime with severe repercussions. These flaws highlight the importance of comprehensive cybersecurity solutions designed particularly for industrial control systems. To protect against such threats, CISA recommends to

  • Install the latest version described in the Mitsubishi Electric advisory into the default installation folder. If it is necessary to change the installation folder from the default, select a folder that only users with Administrator privileges have permission to change.
  • Install an antivirus software on the computer using the affected product.
  • Use your computer with the affected product within the LAN and block remote login from untrusted networks, hosts, and users.
  • When connecting your computer with the affected product to the Internet, use a firewall, virtual private network (VPN), etc., and allow only trusted users to remote login.
  • Do not open untrusted files or click untrusted links.

References

CVE-2022-25164 Detail. NVD. (2022a, November 24). https://nvd.nist.gov/vuln/detail/CVE-2022-25164#vulnCurrentDescriptionTitle

CVE-2022-29830 Detail. NVD. (2022b, November 24). https://nvd.nist.gov/vuln/detail/CVE-2022-29830#vulnCurrentDescriptionTitle

CVE-2022-29831 Detail. NVD. (2023, June 29). https://nvd.nist.gov/vuln/detail/CVE-2022-29831#vulnCurrentDescriptionTitle 

gHale. (2023, September 26). Mitsubishi Electric FA Engineering Software Mitigation. ISSSource. https://www.isssource.com/mitsubishi-electric-fa-engineering-software-mitigation/

Mitsubishi Electric FA Engineering Software: CISA. Cybersecurity and Infrastructure Security Agency CISA. (2023, September 28). https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-03 

Programming GX WORKS3 features of the software programmable controllers MELSEC. Programming GX Works3 Features of the software Programmable Controllers MELSEC | MITSUBISHI ELECTRIC FA. (n.d.). https://www.mitsubishielectric.com/fa/products/cnt/plceng/smerit/gx_works3/programming.html#:~:text=GX%20Works3%20is%20the%20latest,trouble-free%20engineering%20environment%20solution.

 

Ravie Lakshmanan. (2022, December 3). Cisa warns of multiple critical vulnerabilities affecting Mitsubishi Electric PLCS. The Hacker News. https://thehackernews.com/2022/12/cisa-warns-of-multiple-critical.html

Related Posts