High-severity vulnerabilities found by researchers in Mitsubishi Electric factory automation products can be exploited to remotely attack organizations.
According to advisories published last week by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), tens of factory automation products from Mitsubishi Electric are affected by three flaws that can be exploited for privilege escalation, arbitrary code execution and DoS attacks.
Mitsubishi has already released patches for many of the impacted products and it has also provided mitigations for the remaining products and for customers who cannot immediately install the patches.
The issues were reported to the vendor by industrial cybersecurity firm Claroty at the end of 2019 and in early 2020 as part of research into ICS project files. It’s worth mentioning that Claroty recently released an open source tool that allows researchers to analyze Microsoft Access database files associated with SCADA applications.
Mashav Sapir, the Claroty researcher who discovered these vulnerabilities, told SecurityWeek that he found the flaws in one of the products, which had been used by a customer, but he applauded Mitsubishi for providing a full list of products that are impacted.
Sapir has provided the following description for the vulnerabilities found in Mitsubishi Electric products:
CVE-2020-14496 is a permissions problem, which allows any user to write files to specific directories used by vulnerable products. This means an attacker with write permissions can overwrite a legitimate file in this directory, and this file may be executed with high permissions by the software.
CVE-2020-14523 is a zip slip vulnerability. The vulnerable products use files that are zip archives to store configurations and more. A zip archive can contain the path of multiple files. If the code that extracts the archive does not correctly sanitise these paths, extracting the malicious zip archive can result in writing files to arbitrary locations on the system outside of the intended directory.
CVE-2020-14521 refers to the use of an unquoted path in the call to some Windows APIs. This may result in the vulnerable program accessing files that were not intended. As a result, an attacker who exploits this vulnerability can load their own malicious executables in the program’s context and permissions.
Sapir noted that CVE-2020-14523 can be exploited remotely by convincing the targeted user to open a specially crafted project file, for example through a phishing attack.
The attacker can exploit this vulnerability to drop a malicious executable file onto the target’s system, and then exploit CVE-2020-14496 or CVE-2020-14521 to execute that file with elevated privileges.
“An attacker who succeeded in exploiting these vulnerabilities would gain full access and control over the computer running the Mitsubishi engineering software,” the researcher explained. “This means they have both full access to the ICS devices’ configuration and the ability to change it at will, as well as full network access to those devices, thus they also have the ability to directly attack them. This means the attacker can now compromise the OT environment’s operation, by modifying it undetected or by halting it entirely.”