At the end of 2020, Nozomi Networks Labs began a research project on MELSOFT, the communication protocol used by Mitsubishi Electric safety PLCs, and GX Works3, the corresponding engineering workstation software. In a previous blog released last year, we presented five vulnerabilities that relate to the authentication mechanism of the MELSOFT communication protocol and that could be abused by attackers to compromise safety PLCs.
In this blog, we uncover three additional vulnerabilities that affect Mitsubishi Electric GX Works3, tracked under CVE-2022-29831, CVE-2022-29832, and CVE-2022-29833 (Mitsubishi Electric advisory 2022-015, CISA advisory ICSA-22-333-05), and that, in the worst-case scenario, may lead to the compromise of safety PLCs with the only requirement being the possession of associated GX Works3 project files.
The vendor has not been able to provide a fix for these vulnerabilities yet (Mitsubishi Electric will release a patch for CVE-2022-29831 in the near future which will mitigate the risk of CVE-2022-29832 and CVE-2022-29833), but has documented a series of mitigations in the corresponding advisory. Considering the potential impact of these vulnerabilities, similar to last year’s issues, our recommendation remains to carefully assess your security posture and consider applying the proposed mitigations. For the same reason, we are not releasing in-depth technical details in this article but will provide the necessary information for asset owners to understand the risk and prepare in advance to potential cyberattacks.
For Nozomi Networks customers, our Threat Intelligence service has also been updated to detect and warn of vulnerable GX Works3 installations.
Background
While assessing the entire security posture of a programmable logic controller, the analysis of the companion engineering software plays a crucial role. As PLCs can be extensively managed through the engineering software (upload and download of programs from/to the PLC, diagnosis and troubleshooting of software and hardware issues, maintenance operations, etc.), it is no surprise that the engineering software can become an appealing target for attackers: by directly compromising them, or the computer on which they are running, threat actors can easily obtain control of the managed controller. This is not a far-fetched scenario, as this vector is exactly the one leveraged by Stuxnet through its entire chain to ultimately compromise the centrifuges used in Iranian nuclear facilities.
Notably, GX Works3 is the programming and maintenance software offered by Mitsubishi Electric and specifically designed for the MELSEC iQ-R and MELSEC iQ-F Series control system. GX Works3 project files targeting safety CPU modules are encrypted at-rest and require a username-password pair to open them, which the user defines upon project creation (Figure 1). We decided to assess this security model to understand if there are any opportunities for attackers to circumvent it, and determine the exact consequences of these possible pitfalls on related PLCs.
Vulnerabilities Found
While analyzing the project files of GX Works3, we found three vulnerabilities, as listed below:
- CVE-2022-29831: Use of Hard-coded Password (CWE-259), CVSS v3.1 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
- CVE-2022-29832: Cleartext Storage of Sensitive Information in Memory (CWE-316), CVSS v3.1 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
- CVE-2022-29833: Insufficiently Protected Credentials (CWE-522), CVSS v3.1 6.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N)
These vulnerabilities affect GX Works3 versions 1.015R and later.
As the development of a patch is still in progress, technical details have voluntarily been omitted from this article.
Requirements and Impacts
To successfully exploit these flaws, all an attacker is required to do is obtain just one safety PLC project file. This may occur in several ways: through a misconfigured file server, by accessing a shared computer, or by eavesdropping an unprotected communication, for instance. If that happens, they may immediately abuse the first two issues and obtain confidential information included in the project file about the project itself, as well as about the usernames of the accounts registered on the related safety CPU module.
However, if an asset owner has opted to re-use the same credentials for accessing the safety CPU module to also protect the related project file, a much dangerous scenario would occur. As a matter of fact, in this situation, an attacker may chain all three issues and obtain a remarkably powerful attack primitive that would allow them to directly access the safety CPU module. This would give them the potential opportunity to compromise it and, therefore, disrupt the managed industrial process.
Mitigations
While waiting for a patch from Mitsubishi Electric (which will arrive in the near future), we recommend applying the following mitigations:
- Restrict access to safety CPU project files by untrusted parties as much as possible;
- Adequately protect safety CPU project files, while both in transit and at rest (e.g., by encrypting them);
- Change all weak passwords (if any) set on safety CPU modules;
- Never re-use the same credentials to open safety CPU project files and to access the safety CPU modules.
Other mitigations are available in the Mitsubishi Electric advisory.
Summary
Engineering software represents a critical component in the security chain of industrial controllers. Should any vulnerabilities arise in them, adversaries may abuse them to ultimately compromise the managed devices and, consequently, the supervised industrial process. In this blog, we have revealed three vulnerabilities affecting the Mitsubishi Electric GX Works3, that are still unpatched by the vendor. In the worst situation, these flaws may allow an attacker to compromise safety PLCs provided that they gain access to one associated GX Works3 project file.
While waiting for a patch, we advise asset owners to evaluate applying the mitigations that Mitsubishi Electric has included in their advisory, as well as the ones that we have provided in this blogpost.