Mitsubishi Electric created a product revision for newer MELSEC-Q series Ethernet interface modules that incorporates a compensating control to reduce the risk of exploitation for one of the multiple vulnerabilities in the device, according to a report with ICS-CERT.
These vulnerabilities, discovered by security researcher Vladimir Dashchenko of Critical Infrastructure Defense Team at Kaspersky Lab, are remotely exploitable.
Exploits that target these vulnerabilities are publicly available. NCCIC/ICS-CERT and JPCERT coordinated the reported vulnerabilities with Mitsubishi Electric.
The following MELSEC-Q series versions suffer from the issues:
• QJ71E71-100, all versions
• QJ71E71-B5, all versions
• QJ71E71-B2, all versions
Successful exploitation of these vulnerabilities may allow an attacker to intercept weakly encrypted passwords and allow an unauthenticated remote attacker to cause a denial of service on the affected system.
Mitsubishi Electric is a Japan-based company that maintains offices in several countries around the world.
The affected products, QJ71E71-100, QJ71E71-B5, and QJ71E71-B2, are Ethernet interface modules that connect the MELSEC-Q series programmable controllers to the host network. The MELSEC-Q series Ethernet interface modules see action across several sectors including commercial facilities, critical manufacturing, and food and agriculture. Mitsubishi Electric estimates these products see use on a global basis.
In one vulnerability, weakly encrypted passwords end up transmitted to a MELSEC-Q PLC.
CVE-2016-8370 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.6.
In addition, the affected Ethernet interface module ends up connected to a MELSEC-Q PLC, which may allow a remote attacker to connect to the PLC via Port 5002/TCP and cause a denial of service, requiring the PLC to be reset to resume operation.
CVE-2016-8368 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.6.
Exploits that target these vulnerabilities are publicly available. An attacker with low skill would be able to exploit these vulnerabilities.
Mitsubishi Electric released a product revision for newer devices with serial numbers 18072 and later to implement IP filtering for the QJ71E71-100, QJ71E71-B5, and QJ71E71-B2 Ethernet interface modules.
Mitsubishi Electric reports the IP filter function improves access prevention from external sources; however, the IP filter function does not completely prevent unauthorized access. Additional measures to encrypt communications pathway end up required, such as IPsec. The company will not address the cryptographic algorithm vulnerability.
Additional information about the vulnerabilities or Mitsubishi Electric’s compensating control is available by contacting a local Mitsubishi representative.
Mitsubishi Electric recommends users should operate the affected device behind a firewall.