Security Experts:

Mitsubishi Patches Vulnerabilities Disclosed at ICS Hacking Contest

Mitsubishi Electric and its subsidiary ICONICS have released patches for the vulnerabilities disclosed earlier this year at the Pwn2Own Miami hacking competition, which focused on industrial control systems (ICS).

White hat hackers earned a total of $280,000 for the exploits they demonstrated at the Zero Day Initiative’s Pwn2Own contest in January, including $80,000 for vulnerabilities found in ICONICS’s Genesis64 HMI/SCADA product.

The researchers who successfully hacked the ICONICS product were Pedro Ribeiro and Radek Domanski of Flashback team; Tobias Scharnowski, Niklas Breitfeld and Ali Abbasi from the Horst Goertz Institute for IT-Security; Yehuda Anikster of Claroty; and Steven Seeley and Chris Anastasio of Incite team.

They reported five critical and high-severity vulnerabilities to ICONICS, including ones that allow a remote attacker to execute arbitrary code and launch denial-of-service (DoS) attacks by sending specially crafted packets to the targeted system. One vulnerability can allow an attacker to execute arbitrary SQL commands.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

The flaws impact Genesis64, Hyper Historian, AnalytiX, MobileHMI, Genesis32 and BizViz. The same vulnerabilities have also been found to impact Mitsubishi’s MC Works64 and MC Works32 SCADA software. Separate advisories have been published for the affected ICONICS and Mitsubishi products by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the vendors.

ZDI told SecurityWeek that it will soon publish advisories for the ICONICS vulnerabilities disclosed at Pwn2Own Miami.

Industrial cybersecurity firm Claroty discovered CVE-2020-12015, a deserialization bug that can be exploited for DoS attacks. This was one of the five vulnerabilities demonstrated by the company at Pwn2Own — the other flaws impacted products from different vendors.

"The ICONICS Genesis64 software is a human-machine interface (HMI) service that allows connectivity and monitoring of many different ‘shop floor’ devices. This product may be used to monitor and control the physical process in different verticals of the automation world. This means that disabling it through a DoS attack may harm the ability to control the process and cause it to shut down,” Nadav Erez, research team lead at Claroty, said via email.

“A Remote Code Execution (RCE) attack on such a service could allow the attacker to alter the values monitored by the engineer, thus also compromising the safety of the process. In all reported vulnerabilities, no authentication was required, and so an attacker with access to the network could exploit them and attack the service,” Erez explained.

Related: Vulnerability in Mitsubishi Controllers Can Allow Hackers to Disrupt Production

Related: Trend Micro OfficeScan Flaw Apparently Exploited in Mitsubishi Electric Hack

Related: Vulnerabilities Found in Mitsubishi Inverter Engineering Software

Related: Flaw Exposes Mitsubishi PLCs to Remote DoS Attacks

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.