Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Mitsubishi Patches Vulnerabilities Disclosed at ICS Hacking Contest

Mitsubishi Electric and its subsidiary ICONICS have released patches for the vulnerabilities disclosed earlier this year at the Pwn2Own Miami hacking competition, which focused on industrial control systems (ICS).

Mitsubishi Electric and its subsidiary ICONICS have released patches for the vulnerabilities disclosed earlier this year at the Pwn2Own Miami hacking competition, which focused on industrial control systems (ICS).

White hat hackers earned a total of $280,000 for the exploits they demonstrated at the Zero Day Initiative’s Pwn2Own contest in January, including $80,000 for vulnerabilities found in ICONICS’s Genesis64 HMI/SCADA product.

The researchers who successfully hacked the ICONICS product were Pedro Ribeiro and Radek Domanski of Flashback team; Tobias Scharnowski, Niklas Breitfeld and Ali Abbasi from the Horst Goertz Institute for IT-Security; Yehuda Anikster of Claroty; and Steven Seeley and Chris Anastasio of Incite team.

They reported five critical and high-severity vulnerabilities to ICONICS, including ones that allow a remote attacker to execute arbitrary code and launch denial-of-service (DoS) attacks by sending specially crafted packets to the targeted system. One vulnerability can allow an attacker to execute arbitrary SQL commands.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

The flaws impact Genesis64, Hyper Historian, AnalytiX, MobileHMI, Genesis32 and BizViz. The same vulnerabilities have also been found to impact Mitsubishi’s MC Works64 and MC Works32 SCADA software. Separate advisories have been published for the affected ICONICS and Mitsubishi products by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the vendors.

ZDI told SecurityWeek that it will soon publish advisories for the ICONICS vulnerabilities disclosed at Pwn2Own Miami.

Industrial cybersecurity firm Claroty discovered CVE-2020-12015, a deserialization bug that can be exploited for DoS attacks. This was one of the five vulnerabilities demonstrated by the company at Pwn2Own — the other flaws impacted products from different vendors.

Advertisement. Scroll to continue reading.

“The ICONICS Genesis64 software is a human-machine interface (HMI) service that allows connectivity and monitoring of many different ‘shop floor’ devices. This product may be used to monitor and control the physical process in different verticals of the automation world. This means that disabling it through a DoS attack may harm the ability to control the process and cause it to shut down,” Nadav Erez, research team lead at Claroty, said via email.

“A Remote Code Execution (RCE) attack on such a service could allow the attacker to alter the values monitored by the engineer, thus also compromising the safety of the process. In all reported vulnerabilities, no authentication was required, and so an attacker with access to the network could exploit them and attack the service,” Erez explained.

Related: Vulnerability in Mitsubishi Controllers Can Allow Hackers to Disrupt Production

Related: Trend Micro OfficeScan Flaw Apparently Exploited in Mitsubishi Electric Hack

Related: Vulnerabilities Found in Mitsubishi Inverter Engineering Software

Related: Flaw Exposes Mitsubishi PLCs to Remote DoS Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights