Mitsubishi Electric Factory Automation Engineering Software Products

Monitor7.5ICS-CERT ICSA-20-182-02Jun 30, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple Mitsubishi Electric factory automation engineering software products contain XML external entity (XXE) injection (CWE-611) and improper resource management (CWE-400) vulnerabilities in how they parse project and configuration files. These flaws allow a local attacker to read arbitrary files from an engineering workstation or cause the software to crash by supplying a specially crafted configuration file. Affected products include GX Works2/3 (PLC programming), RT ToolBox2/3 (industrial controller engineering), MELFA-Works (robot programming), GT Designer3 (HMI design), and numerous device configuration tools for I/O modules, motion controllers, and safety relays.

What this means

What could happen

An attacker with local access could exploit XML parsing flaws or resource exhaustion to exfiltrate configuration files from engineering workstations or crash the design tool, interrupting PLC/robot/manufacturing device programming and commissioning activities.

Who's at risk

Engineering teams in the energy sector (and other industries) using Mitsubishi Electric factory automation tools. This includes PLC programmers and configuration engineers using GX Works2/3, RT ToolBox, robot engineers using MELFA-Works, and those configuring I/O modules, safety controllers, or motion controllers. Any facility that programs or maintains Mitsubishi MELSEC PLCs, industrial robots, or smart I/O devices is potentially affected.

How it could be exploited

An attacker delivers a malicious project or configuration file (via email, USB, or file share) to an engineer using one of the affected Mitsubishi tools. When the engineer opens the file, the XML parsing vulnerability (CWE-611) is triggered, allowing the attacker to read arbitrary files from the workstation or cause a denial-of-service crash (CWE-400). No credentials or special access required—just social engineering to deliver the file.

Prerequisites

Local access to an engineering workstation with one of the affected Mitsubishi tools installed
User must open a malicious project or configuration file
File delivery via email, USB, network share, or other means

No authentication required to exploit (file-based)Low complexity attack (deliver file and wait for user to open it)Affects 20 widely-used engineering toolsNo patch available at time of advisory (though patches have since been released)Exfiltration and denial-of-service impact on engineering capability

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (20)

20 pending

ProductAffected VersionsFix Status

MELSOFT FieldDeviceConfigurator:≤ 1.03DNo fix yet

RT ToolBox3:≤ 1.50CNo fix yet

GX Works2:≤ 1.586LNo fix yet

CW Configurator:≤ 1.010LNo fix yet

RT ToolBox2:≤ 3.72ANo fix yet

Remediation & Mitigation

0/25

Do now

0/3

WORKAROUNDOperate all Mitsubishi software tools and engineering workstations under non-administrative user accounts

WORKAROUNDInstall antivirus software on all engineering workstations running these tools

WORKAROUNDEducate engineers to verify the source of project and configuration files before opening them; reject files from unknown sources

Schedule — requires maintenance window

0/20

Patching may require device reboot — plan for process interruption

Long-term hardening

0/2

HARDENINGIsolate engineering workstations on a separate network segment from production control systems and the internet

HARDENINGImplement firewall rules to restrict network access to engineering workstations; block file sharing and email from untrusted networks

CVEs (2)

CVE-2020-5602 CVE-2020-5603

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close