In a new blog post from Nozomi Networks, five new vulnerabilities affecting Mitsubishi safety PLCs are revealed. There are currently no patches available for the vulnerabilities, which relate to the authentication implementation of the MELSOFT communication protocol.
Nozomi disclosed a first set of vulnerabilities to Mitsubishi through ICS-CERT in January 2021. A second set was disclosed more recently through the same process. Currently, patches for these vulnerabilities are not available. The vendor has provided a series of mitigations which are described in the corresponding advisories.
A first set of vulnerabilities was disclosed to the vendor through ICS-CERT in January 2021. A second set was disclosed more recently through the same process. Currently, patches for these vulnerabilities are not available. The vendor has provided a series of mitigations which are described in the corresponding advisories. Considering the potential impact of these vulnerabilities, Nozomi suggests you carefully assess your security posture and consider applying the proposed mitigations.
Thus, at this time we are not revealing the technical details of the vulnerabilities, or providing the PoCs (Proof of Concept) we developed to demonstrate potential malicious exploits. We are instead revealing general details out of concern that technical details could be disclosed in some form. This would leave asset owners without enough information to assess their security posture and take timely action before a potential attack occurs.
For Nozomi Networks customers, know that our Threat Intelligence service includes detection logic for these vulnerabilities and will alert you if an attack is taking place. For other asset owners, and members of the security community, this blog post informs you of the situation and provides general mitigations for protecting your operational environments.
Discovering and disclosing the MELSOFT authentication vulnerabilities
At the end of 2020, Nozomi Networks Labs began a research project on MELSOFT, the communication protocol used by Mitsubishi safety PLCs and GX Works3, the corresponding engineering workstation software. We focused our analysis specifically on the authentication implementation, as we noticed that similar OT products from other vendors contain vulnerabilities in this attack surface.
In addition to disclosing the vulnerabilities to the vendor, we also proactively shared the PoCs we developed and all the technical de-tails of our research with them. Mitsubishi analysed our findings, and after acknowledging the vulnerabilities, devised a strategy to patch the issues.
As you may already be aware, software updates for products like safety PLCs or medical devices take longer to deploy than other software products, like the web browser you’re using to read this blog. This is because in addition to developing and testing the patch, vendors are required to comply with specific certification processes. Depending on the type of device and regulatory framework, the certification procedure could be required for each individual soft-ware update.
Why we’re revealing the vulnerabilities now
While waiting for the patch development and deployment process to be completed, we deployed detection logic for customers of our Threat Intelligence service. At the same time, we started researching more general detection strategies to share with asset owners and the ICS security community at large.
It’s likely that the types of issues we uncovered affect the authentication of OT protocols from more than a single vendor, and we want to help protect as many systems as possible. Our general concern is that asset owners might be overly reliant on the security of the authentication schemes bolted onto OT protocols, without knowing the technical details and the failure models of these implementations. For the same reason, what follows is a general description of the issues found in Mitsubishi safety PLCs and GX Works3. At this stage we won’t focus on all of the technicalities of MELSOFT authentication, nor describe the PoCs we’ve developed. Instead we provide what should be enough for security teams to assess the risks to their own environments.
Read the rest of the blog here, including description of Mitsubishi MELSOFT authentication vulnerabilities, devising an attack scenario by chaining together multiple vulnerabilities, and mitigations to consider right now.
Image: Nozomi Networks Labs has discovered five vulnerabilities affecting Mitsubishi safety PLCs, used in many industries. Asset owners should assess their security posture now and take general mitigations until patches are available.
Read the article online at: https://www.worldpipelines.com/business-news/06082021/nozomi-networks-highlights-five-new-vulnerabilities-affecting-mitsubishi-safety-plcs/