Mitsubishi Electric MELSEC-Q Series Ethernet Interface Module Vulnerabilities
ICSA： ICS Advisory (ICSA-16-336-03)
Security researcher Vladimir Dashchenko of Critical Infrastructure Defense Team, Kaspersky Lab has identified vulnerabilities in the Mitsubishi Electric Automation, Inc. (Mitsubishi Electric) MELSEC-Q series Ethernet interface modules. NCCIC/ICS-CERT and JPCERT have coordinated the reported vulnerabilities with Mitsubishi Electric. Mitsubishi Electric has created a product revision for newer devices that incorporates a compensating control to reduce the risk of exploitation for one of the identified vulnerabilities.
These vulnerabilities could be exploited remotely.
Exploits that target these vulnerabilities are known to be publicly available.
The following MELSEC-Q series versions are affected:
- QJ71E71-100, all versions,
- QJ71E71-B5, all versions, and
- QJ71E71-B2, all versions.
Successful exploitation of these vulnerabilities may allow an attacker to intercept weakly encrypted passwords and allow an unauthenticated remote attacker to cause a denial of service on the affected system.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.
Mitsubishi Electric is a Japan-based company that maintains offices in several countries around the world.
The affected products, QJ71E71-100, QJ71E71-B5, and QJ71E71-B2, are Ethernet interface modules that connect the MELSEC-Q series programmable controllers to the host network. According to Mitsubishi Electric, the MELSEC-Q series Ethernet interface modules are deployed across several sectors including Commercial Facilities, Critical Manufacturing, and Food and Agriculture. Mitsubishi Electric estimates that these products are used worldwide.
USE OF A BROKEN OR RISKY CRYPTOGRAPHIC ALGORITHMa
Weakly encrypted passwords are transmitted to a MELSEC-Q PLC.
UNRESTRICTED EXTERNALLY ACCESSIBLE LOCKd
The affected Ethernet interface module is connected to a MELSEC-Q PLC, which may allow a remote attacker to connect to the PLC via Port 5002/TCP and cause a denial of service, requiring the PLC to be reset to resume operation.
These vulnerabilities could be exploited remotely.
EXISTENCE OF EXPLOIT
Exploits that target these vulnerabilities are publicly available.
An attacker with low skill would be able to exploit these vulnerabilities.
Mitsubishi Electric has released a product revision for newer devices with serial numbers 18072 and later to implement IP filtering for the QJ71E71-100, QJ71E71-B5, and QJ71E71-B2 Ethernet interface modules. Mitsubishi Electric reports that the IP filter function improves access prevention from external sources; however, the IP filter function does not completely prevent unauthorized access. Additional measures to encrypt communications pathway are required, such as IPsec. The cryptographic algorithm vulnerability will not be addressed.
Additional information about the vulnerabilities or Mitsubishi Electric’s compensating control is available by contacting a local Mitsubishi representative, which can be found at the following location:
Mitsubishi Electric strongly recommends that users should operate the affected device behind a firewall.
ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
- Ensure that all unused ports are disabled.
- Implementing IPsec can be used to encrypt communication pathways.
- Asset owners may wish to consider implementing a Bump-in-the-Wire (BitW) solution to improve security. The BitW solution involves two devices inserted in the unsecured communications pathway to provide secure communication between endpoints. The original devices communicate with the BitW device at each end. The BitW devices communicate with each other and provide encryption services without modification of the original devices. This technology can be applied to local area networks communications or serial communications.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
- Minimize network exposure to all untrusted systems and ensure that the affected products are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
- a. CWE-327: Use of a Broken or Risky Cryptographic Algorithm, http://cwe.mitre.org/data/definitions/327.html, web site last accessed December 01, 2016.
- b. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8370, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.
- c. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N, web site last accessed December 01, 2016.
- d. CWE-412: Unrestricted Externally Accessible Lock, http://cwe.mitre.org/data/definitions/412.html, web site last accessed December 01, 2016.
- e. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8368, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.
- f. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H, web site last accessed December 01, 2016.