Multiple unpatched security vulnerabilities have been disclosed in Mitsubishi safety programmable logic controllers (PLCs) that could be exploited by an adversary to acquire legitimate user names registered in the module via a brute-force attack, unauthorizedly login to the CPU module, and even cause a denial-of-service (DoS) condition.
The security weaknesses, disclosed by Nozomi Networks, concern the implementation of an authentication mechanism in the MELSEC communication protocol that's used to communicate and exchange data with the target devices by reading and writing data to the CPU module.
A quick summary of the flaws is listed below -
- Username Brute-force (CVE-2021-20594, CVSS score: 5.9) - Usernames used during authentication are effectively brute-forceable
- Anti-password Brute-force Functionality Leads to Overly Restrictive Account Lockout Mechanism (CVE-2021-20598, CVSS score: 3.7) - The implementation to thwart brute-force attacks not only blocks a potential attacker from using a single IP address, but it also prohibits any user from any IP address from logging in for a certain timeframe, effectively locking legitimate users out
- Leaks of Password Equivalent Secrets (CVE-2021-20597, CVSS score: 7.4) - A secret derived from the cleartext password can be abused to authenticate with the PLC successfully
- Session Token Management - Cleartext transmission of session tokens, which are not bound to an IP address, thus enabling an adversary to reuse the same token from a different IP after it has been generated
Troublingly, some of these flaws can be strung together as part of an exploit chain, permitting an attacker to authenticate themselves with the PLC and tamper with the safety logic, lock users out of the PLC, and worse, change the passwords of registered users, necessitating a physical shutdown of the controller to prevent any further risk.
The researchers refrained from sharing technical specifics of the vulnerabilities or the proof-of-concept (PoC) code that was developed to demonstrate the attacks due to the possibility that doing so could lead to further abuse. While Mitsubishi Electric is expected to release a fixed version of the firmware in the "near future," it has published a series of mitigations that are aimed at protecting the operational environments and stave off a possible attack.
Stating that it's currently investigating the authentication bypass vulnerability concerning how sessions are managed, the company is recommending a combination of mitigation measures to minimize the risk of potential exploitation, including using a firewall to prevent unsanctioned access over the internet, an IP filter to restrict accessible IP addresses, and changing the passwords via USB.
"It's likely that the types of issues we uncovered affect the authentication of OT protocols from more than a single vendor, and we want to help protect as many systems as possible," the researchers noted. "Our general concern is that asset owners might be overly reliant on the security of the authentication schemes bolted onto OT protocols, without knowing the technical details and the failure models of these implementations."