Mitsubishi Electric FA Engineering Software Products (Update H)

Act Now7.5ICS-CERT ICSA-21-049-02Feb 18, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple buffer overflow and out-of-bounds write vulnerabilities (CWE-122, CWE-130) exist in Mitsubishi Electric FA engineering software products used for configuration, monitoring, and control of MELSEC PLCs, FREQROL drives, and GOT HMI devices. These vulnerabilities can be triggered by malformed input to cause denial-of-service conditions. Affected products span a wide range of engineering tools including GX Works, GT Designer, FR Configurator, and various utility software.

What this means

What could happen

An attacker who sends malformed data to these engineering software tools could crash the application, disrupting the engineer's ability to monitor, configure, or update control systems. In some cases, this could prevent emergency reconfiguration or troubleshooting of critical process equipment.

Who's at risk

Plant engineers, automation technicians, and IT staff at facilities using Mitsubishi Electric control systems are affected. This includes organizations running MELSEC PLCs (GX Works products), FREQROL inverters (FR Configurator), GOT HMI panels (GT Designer), and any facility using Mitsubishi's MELSOFT suite for system configuration, monitoring, or data transfer. Energy sector facilities and manufacturing plants with Mitsubishi automation equipment are most at risk.

How it could be exploited

An attacker with network access to an engineering workstation running one of these tools could send crafted packets or data to trigger a buffer overflow or out-of-bounds write, causing the application to crash. If the workstation is connected to the plant network or has remote access capability, the attacker could be on a different network and exploit the tool through its network communication interfaces (such as SLMP protocol or HTTP connections).

Prerequisites

Network access to the engineering workstation running the affected software
Knowledge of the specific network protocol or input format the tool accepts (SLMP, HTTP, or proprietary protocol)
The affected software tool must be running and accepting network connections

remotely exploitableno authentication requiredlow complexityhigh EPSS score (11.8%)affects engineering workstations which may have access to operational networkspartial patch availability - some products have no fix planned

Exploitability

High exploit probability (EPSS 11.8%)

Affected products (41)

41 pending

ProductAffected VersionsFix Status

GX IEC Developer: vers:all/*All versionsNo fix yet

GX LogViewer: <=1.115U≤ 1.115UNo fix yet

GX RemoteService-I: vers:all/*All versionsNo fix yet

GX Works2: <=1.597X≤ 1.597XNo fix yet

GX Works3: <=1.070Y≤ 1.070YNo fix yet

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDFor products with no planned fix (GX IEC Developer, GX RemoteService-I, GX Configurator-QP, GX Explorer, FR Configurator, FR Configurator SW3, M_CommDTM-HART, MELSEC WinCPU Setting Utility), install the fixed version of an alternative product that communicates with the same device type: install GX Works3 for MELSEC-based tools, FR Configurator2 for FREQROL tools, or GT Designer3 for GOT tools

HARDENINGRestrict network access to engineering workstations: place them behind firewalls, prevent access from untrusted networks, and use network segmentation to isolate the engineering workstation from the business network

HARDENINGRequire engineering staff to run the affected software under user accounts without administrator privileges

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate the following products to the vendor-provided fixed versions: GX Works3 (1.072A or later), GX Works2 (1.600A or later), FR Configurator2 (1.25B or later), GT Designer3 (1.255R or later), GX Developer (8.507D or later), and all other products listed in the Mitsubishi advisory with available patches

Long-term hardening

0/2

HARDENINGDeploy or update antivirus software on all engineering workstations running these products

HARDENINGRequire VPN authentication for any remote access to engineering workstations or plant networks

CVEs (2)

CVE-2021-20587 CVE-2021-20588

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c8b6cbac-0eba-4daf-b34c-0c31c3366189