Mitsubishi Electric MC Works64, MC Works32

Act Now9.4ICS-CERT ICSA-20-170-02Jun 18, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

MC Works32 and MC Works64 contain multiple vulnerabilities (CWE-787 buffer overflow, CWE-502 unsafe deserialization, CWE-94 arbitrary code generation/execution) that allow remote code execution, denial-of-service, information disclosure, or tampering without authentication or user interaction. The affected versions are MC Works32 v3.00A and MC Works64 v4.02C or earlier. No public exploits are currently known, but high-skill attackers can exploit these remotely. Mitsubishi Electric is working on patches; users should check the MC Works Vulnerability Information website for updates and in the interim isolate these systems from external network access.

What this means

What could happen

An attacker who reaches your MC Works engineering workstation over the network could run arbitrary code on it, potentially allowing them to alter PLC logic, modify control setpoints, or disrupt your power generation or distribution operations. They could also steal sensitive process data or crash the engineering environment.

Who's at risk

Energy utilities (power generation and distribution) that use Mitsubishi Electric MC Works32 or MC Works64 software for PLC programming and control. This affects the engineering workstations where plant technicians and engineers configure and monitor programmable logic controllers.

How it could be exploited

An attacker sends a specially crafted network message to a reachable MC Works32 or MC Works64 installation. The software deserializes untrusted data and executes arbitrary code, or processes a malicious script/object within the message. No user interaction or valid credentials are required; the vulnerability is triggered on receipt of the payload.

Prerequisites

Network access to the MC Works engineering workstation (typically ports used by Mitsubishi Electric protocol stack)
MC Works32 version 3.00A (9.50.255.02) or MC Works64 version 4.02C or earlier (10.95.208.31 or earlier)
No authentication or special configuration required for exploitation

Remotely exploitableNo authentication requiredLow complexity attackHigh EPSS score (10.2%)No patch currently availableAffects critical control system engineering environmentMultiple vulnerability types (code execution, denial of service, information disclosure)

Exploitability

High exploit probability (EPSS 10.2%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

MC Works32:Version 3.00A (aka Version 9.50.255.02)No fix (EOL)

MC Works64:≤ Version 4.02C (aka ≤ Version 10.95.208.31)No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate MC Works engineering workstations from the Internet and business network; place them behind a firewall with explicit allow rules only for authorized engineering traffic

HARDENINGIf remote engineering access is necessary, require VPN with modern encryption and keep VPN software patched

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXMonitor Mitsubishi Electric's MC Works Vulnerability Information website for security patches as they become available

HOTFIXWhen patches are released, apply them during a scheduled maintenance window after confirming compatibility with your PLC programs

CVEs (5)

CVE-2020-12011 CVE-2020-12015 CVE-2020-12009 CVE-2020-12013 CVE-2020-12007

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f0a2f225-1ae9-4f6f-a9ae-936ca7c2b83e