Positive Technologies has discovered five vulnerabilities in Mitsubishi Electric’s MELSEC System Q and MELSEC System L series PLC processor modules. These modules are used in the chemical industry, semiconductor production, building automation, and other industries.
Mitsubishi Electric is one of the top three largest global manufacturers of industrial controllers, with over 17 million compact PLCs produced. Under its responsible disclosure policy, the company was notified of the vulnerabilities, mitigated the consequences, and scheduled a software update.
“All five vulnerabilities were classified as the most dangerous type: remote code execution (RCE). Attackers can exploit them remotely to gain full access over Mitsubishi Electric PLCs and the ICS resources they control. Attackers are allowed to change the PLC firmware code and execute other functions to manipulate the control application program downloaded into the controller. Attacks of this sort can lead to disruptions in ICS resources in the chemical, oil and gas, and other industries. To exploit these vulnerabilities, all attackers need network access to the controller,” notes Anton Dorfman, Principal Firmware Security Researcher in the Positive Technologies Application Analysis Department, who discovered these vulnerabilities.
The vulnerabilities CVE-2024-0802, CVE-2024-0803, CVE-2024-1915, CVE-2024-1916 и CVE-2024-1917 have the same CVSS 3.0 score of 9.8 (critical severity).
According to the monitoring data of the Positive Technologies expert center, special online search engines were able to detect the IP addresses of more than 200 vulnerable Mitsubishi Electric MELSEC System Q controllers. Most of the equipment is used in Japan (56%), followed by the U.S. (6%), China (5.5%), South Korea (5.5%), Taiwan (5.5%), Canada (4.5%), Poland (4%), UK (2%), Brazil (1.5%), Germany (1.5%), Russia (1.5%), Austria (1%), the Netherlands (1%), and Thailand (1%). Potential attacker could access these devices due to configuration errors, and the real number of vulnerable controllers could be higher.
To reduce the risk of vulnerabilities exploitation by attackers Mitsubishi Electric recommends using a firewall and VPN, and limiting physical access to controllers, workstations, and network devices that can communicate with the PLC.
The five new vulnerabilities in MELSEC System Q and MELSEC System L were discovered during a large-scale research of Mitsubishi Electric controllers. In 2022, Positive Technologies experts helped Mitsubishi Electric fix vulnerabilities in FX controllers and engineering software (GX Works3 and the MX OPC UA Module Configurator-R utility). After the company published information about the vulnerabilities, the research report was presented at Nullcon 2023.
Positive Technologies suggests using PT Industrial Security Incident Manager, an in-depth industrial traffic analysis system, for detecting attempts to exploit ICS vulnerabilities. PT ISIM recognizes communication protocols of Mitsubishi Electric MELSEC controllers, analyzes commands, and informs the security team about suspicious events and incidents.
