Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Hackers Could Target Organizations via Flaws in Mitsubishi Factory Automation Products

High-severity vulnerabilities found by researchers in Mitsubishi Electric factory automation products can be exploited to remotely attack organizations.

High-severity vulnerabilities found by researchers in Mitsubishi Electric factory automation products can be exploited to remotely attack organizations.

According to advisories published last week by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), tens of factory automation products from Mitsubishi Electric are affected by three flaws that can be exploited for privilege escalation, arbitrary code execution and DoS attacks.

Mitsubishi has already released patches for many of the impacted products and it has also provided mitigations for the remaining products and for customers who cannot immediately install the patches.

The issues were reported to the vendor by industrial cybersecurity firm Claroty at the end of 2019 and in early 2020 as part of research into ICS project files. It’s worth mentioning that Claroty recently released an open source tool that allows researchers to analyze Microsoft Access database files associated with SCADA applications.

Learn More About Vulnerabilities in Industrial Products at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits Virtual Event Series

Mashav Sapir, the Claroty researcher who discovered these vulnerabilities, told SecurityWeek that he found the flaws in one of the products, which had been used by a customer, but he applauded Mitsubishi for providing a full list of products that are impacted.

Sapir has provided the following description for the vulnerabilities found in Mitsubishi Electric products:

CVE-2020-14496 is a permissions problem, which allows any user to write files to specific directories used by vulnerable products. This means an attacker with write permissions can overwrite a legitimate file in this directory, and this file may be executed with high permissions by the software.

 

Advertisement. Scroll to continue reading.

CVE-2020-14523 is a zip slip vulnerability. The vulnerable products use files that are zip archives to store configurations and more. A zip archive can contain the path of multiple files. If the code that extracts the archive does not correctly sanitise these paths, extracting the malicious zip archive can result in writing files to arbitrary locations on the system outside of the intended directory.

 

CVE-2020-14521 refers to the use of an unquoted path in the call to some Windows APIs. This may result in the vulnerable program accessing files that were not intended. As a result, an attacker who exploits this vulnerability can load their own malicious executables in the program’s context and permissions.

Sapir noted that CVE-2020-14523 can be exploited remotely by convincing the targeted user to open a specially crafted project file, for example through a phishing attack.

The attacker can exploit this vulnerability to drop a malicious executable file onto the target’s system, and then exploit CVE-2020-14496 or CVE-2020-14521 to execute that file with elevated privileges.

“An attacker who succeeded in exploiting these vulnerabilities would gain full access and control over the computer running the Mitsubishi engineering software,” the researcher explained. “This means they have both full access to the ICS devices’ configuration and the ability to change it at will, as well as full network access to those devices, thus they also have the ability to directly attack them. This means the attacker can now compromise the OT environment’s operation, by modifying it undetected or by halting it entirely.”

Related: Vulnerability in Mitsubishi Controllers Can Allow Hackers to Disrupt Production

Related: Trend Micro OfficeScan Flaw Apparently Exploited in Mitsubishi Electric Hack

Related: Mitsubishi Patches Vulnerabilities Disclosed at ICS Hacking Contest

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.