Unpatched vulnerabilities in Mitsubishi PLCs
Nazomi Networks, a network security specialist, highlighted multiple unpatched security vulnerabilities in Mitsubishi safety programmable logic controllers (PLCs), used to control electro-mechanical processes in manufacturing, plants, or other automation environments. The exploitation of these flaws could lead to access user names registered in the module, unauthorized login, and a denial-of-service (DoS) condition.
The security issues concern the implementation of an authentication technique in the MELSEC communication protocol used for the exchange of data with the target devices.
The pressure here is that these flaws can be used collectively, allowing the threat actor to get authentication to the PLC, along with the ability to tamper the log, change passwords of users and lock the users, requiring a complete shutdown of the PLC to avoid any more risks.
The vulnerabilities include:
- Username Brute-force (CVE-2021-20594, CVSS score: 5.9) – the Usernames used for authentication are effectively brute-forceable
- Anti-password Brute-force Functionality Leads to Overly Restrictive Account Lockout Mechanism (CVE-2021-20598, CVSS score: 3.7) – The implementation to thwart brute-force attacks not only blocks a potential attacker from using a single IP address, but it also restricts any user from any IP address from logging in for a particular timeframe, effectively locking authorized users out
- Leaks of Password Equivalent Secrets (CVE-2021-20597, CVSS score: 7.4) – A secret derived from the cleartext password can be misused to authenticate with the PLC successfully
- Session Token Management – Cleartext transmission of session tokens . These are not bound to IP addresses, thus enabling the adversary to reuse the same token from a different IP
The experts did not share the technicalities and proof of concept code of these flaws to avoid any further glitches. Mitsubishi itself has advised many mitigation practices to restrict the risk. These include a firewall to avoid unauthorized access, an IP filter to limit IP addresses that are accessible, and changing of passwords through USBs. It is also looking forward to release a fixed version of the firmware in the future. The researcher also highlights that they want to help protect as many systems as possible.