ICS Advisory

Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series

Release Date
Alert Code
ICSA-23-157-02

1. EXECUTIVE SUMMARY

  • CVSS v3 7.5
  • ATTENTION: Exploitable remotely/low attack complexity 
  • Vendor: Mitsubishi Electric
  • Equipment: MELSEC iQ-R Series/iQ-F Series EtherNet/IP Modules and EtherNet/IP Configuration tool
  • Vulnerabilities: Weak Password Requirements, Use of Hard-coded Password, Missing Password Field Masking, Unrestricted Upload of File with Dangerous Type

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow a remote unauthenticated attacker to connect to the module via FTP and bypass authentication to log in.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Mitsubishi Electric reports these vulnerabilities affect the following MELSEC iQ-R Series/iQ-F Series EtherNet/IP Modules and EtherNet/IP Configuration tool: 

  • RJ71EIP91: All versions
  • SW1DNN-EIPCT-BD: All versions
  • FX5-ENET/IP: All versions
  • SW1DNN-EIPCTFX5-BD: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 WEAK PASSWORD REQUIREMENTS CWE-521

Authentication bypass vulnerability in FTP function on EtherNet/IP module due to weak password requirements could allow a remote unauthenticated attacker to access to the module via FTP by dictionary attack or password sniffing.

CVE-2023-2060 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.2 USE OF HARD-CODED PASSWORD CWE-259

Authentication bypass vulnerability in FTP function on EtherNet/IP module could allow a remote unauthenticated attacker to obtain a hard-coded password and access to the module via FTP.

CVE-2023-2061 has been assigned to this vulnerability. A CVSS v3 base score of 6.2 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.3 MISSING PASSWORD FIELD MASKING CWE-549

The EtherNet/IP configuration tool that displays unmasked passwords due to missing password field masking results in authentication bypass vulnerability, which could allow a remote unauthenticated attacker to access the module via FTP.

CVE-2023-2062 has been assigned to this vulnerability. A CVSS v3 base score of 6.2 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.4 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434 

Information disclosure, tampering, deletion, destruction vulnerability exists in the FTP function on EtherNet/IP module via file upload/download due to unrestricted upload of file with dangerous type.

CVE-2023-2063 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Iie Karada reported these vulnerabilities to Mitsubishi Electric.

4. MITIGATIONS

Mitsubishi Electric recommends customers take the following mitigation measures to minimize the risk of a threat actor exploiting these vulnerabilities:

  • Use a firewall, virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
  • Use within a LAN and block access from untrusted networks and hosts through firewalls.
  • Restrict physical access to prevent untrusted devices LAN to which the affected product connects.
  • Avoid uploading/downloading files directly using FTP, and use the EtherNet/IP configuration tool. Do not open the downloaded file with anything other than the EtherNet/IP configuration tool.
  • For FX5-ENET/IP, use IP filter function to block access from untrusted hosts. For details on the IP filter function, please refer to the following manual: "12.1 IP Filter Function" in the MELSEC iQ-F FX5 User's Manual (Ethernet Communication).

For specific update instructions and additional details, see the Mitsubishi Electric advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity.

This product is provided subject to this Notification and this Privacy & Use policy.