​Mitsubishi Electric GOT2000 and GOT SIMPLE

1. EXECUTIVE SUMMARY

• ​CVSS v3 5.9
• ​ATTENTION: Exploitable remotely
• ​Vendor: Mitsubishi Electric
• ​Equipment: GOT2000 Series and GOT SIMPLE Series
• ​Vulnerability: Predictable Exact Value from Previous Values

2. RISK EVALUATION

​Successful exploitation of this vulnerability could allow an attacker to hijack data connections or prevent legitimate users from establishing data connections.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​Mitsubishi Electric reports this vulnerability affects the following HMIs when using the “FTP server” function:

• ​GOT2000 Series, GT21 model: versions 01.49.000 and prior
• ​GOT SIMPLE, GS21 model: versions 01.49.000 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 ​PREDICTABLE EXACT VALUE FROM PREVIOUS VALUES CWE-342

​A denial-of-service and spoofing (session hijacking of data connections) vulnerability exists in the FTP server function on GOT2000 series and GOT SIMPLE series because the port number of a data connection can be easily guessed due to predictable exact value from previous values.

​CVE-2023-3373 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:L).

3.3 BACKGROUND

• ​CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• ​COUNTRIES/AREAS DEPLOYED: Worldwide
• ​COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

​Mitsubishi Electric reported this vulnerability to CISA.

4. MITIGATIONS

Mitsubishi Electric has created the following versions to fix this issue: 

• ​GOT2000 Series, GT21 model version 01.50.000 or later
• ​GOT SIMPLE, GS21 model version 01.50.000 or later

​Mitsubishi Electric recommends the following steps to update:

1. ​Please contact your local Mitsubishi Electric representative to download the fixed version of GT Designer3 Version1 (GOT2000) and install on a personal computer. 
2. ​Start the GT Designer3 Version1 (GOT2000) and open the project data used in affected products. 
3. ​Select [Write to GOT] from [Communication] menu to write the required package data to the GOT. ​Please refer to the GT Designer3 Version1 (GOT2000) Screen Design Manual (SH-081220ENG). ​“4. COMMUNICATING WITH GOT” 
4. ​After writing the required package data to the GOT, refer to the <How to check the versions in use> and check that the software has been updated to the fixed versions. 

​The fixed versions are shipped with GT Designer3 Version1(GOT2000) Ver. 1.300 N or later.

​Mitsubishi Electric recommends that customers take the following mitigations or workarounds to minimize the risk of exploiting this vulnerability:

• ​Restrict physical access to the product and the LAN to which it is connected.
• ​When Internet access is required, use a virtual private network (VPN) or other means to prevent unauthorized access.
• ​Use the products within a LAN and block access from untrusted networks and hosts.
• ​Install antivirus software on your computer that can access the affected product.
• ​Use the IP filter function to restrict the accessible IP addresses.
  • ​GT Designer3 (GOT2000) Screen Design Manual (SH-081220ENG). “5.4.3 Setting the IP filter”
• ​Review whether the FTP server function is required or not, and if not, disable the FTP server function.

​Users should refer to Mitsubishi Electric’s security advisory for further information.

​CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• ​Do not click web links or open attachments in unsolicited email messages.
• ​Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
• ​Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

​No known public exploits specifically target this vulnerability. This vulnerability is exploitable remotely. This vulnerability has high attack complexity.