Mitsubishi Electric GOT2000 and GOT SIMPLE

Monitor5.9ICS-CERT ICSA-23-215-01Aug 3, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

A cryptographic weakness in the data connection protocol of Mitsubishi Electric GOT2000 Series (GT21) and GOT SIMPLE (GS21) operator panels allows an attacker on the network to hijack data connections or prevent legitimate operators from establishing connections. This affects the ability of authorized users to monitor and control industrial processes through the operator interface.

What this means

What could happen

An attacker could intercept or hijack data connections to the operator panel, potentially reading sensitive process data or preventing legitimate users from communicating with the device to monitor or control operations.

Who's at risk

Water and electric utility operators who use Mitsubishi Electric GOT2000 Series (GT21 model) or GOT SIMPLE (GS21 model) operator panels for real-time process monitoring and control. Impact is greatest for facilities where the operator panel is accessible from untrusted networks or where loss of operator visibility could disrupt critical operations.

How it could be exploited

An attacker on the network sends specially crafted communication requests to the GOT2000 or GOT SIMPLE device. Due to weak cryptographic security in the data connection protocol, the attacker can intercept the connection session or impersonate legitimate clients, gaining the ability to read process data or block operators from accessing the panel.

Prerequisites

Network access to the affected GOT device (port connectivity required)
Device running vulnerable firmware version 01.49.000 or earlier
Attacker must be on the same network segment or have routed access to the device

remotely exploitableno authentication requiredhigh attack complexityaffects operator visibility and process controlno patch available for devices in field (requires manual firmware update process)

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

GOT SIMPLE, GS21 model: <= 01.49.000≤ 01.49.00001.50.000 or later

GOT2000 Series, GT21 model: <= 01.49.000≤ 01.49.00001.50.000 or later

Remediation & Mitigation

0/8

Do now

0/2

WORKAROUNDDisable the FTP server function on the affected devices if not required for operations

WORKAROUNDConfigure IP filter rules to restrict which IP addresses can access the affected GOT devices

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate GOT2000 Series GT21 model to firmware version 01.50.000 or later using GT Designer3 Version1 (Ver. 1.300 N or later)

HOTFIXUpdate GOT SIMPLE GS21 model to firmware version 01.50.000 or later using GT Designer3 Version1 (Ver. 1.300 N or later)

Long-term hardening

0/4

HARDENINGRestrict physical access to the operator panels and the LAN segments they are connected to

HARDENINGSegment the GOT devices to an isolated LAN and block access from untrusted networks using a firewall or network boundary device

HARDENINGImplement VPN or other encrypted network access controls if the devices must be reachable from remote locations

HARDENINGInstall and maintain antivirus software on any engineering workstations that connect to the affected GOT devices

CVEs (1)

CVE-2023-3373

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8bea49c0-099b-4c89-aae9-047a998c98da