Mitsubishi Electric GT and GOT Series Products
Plan Patch7.5ICS-CERT ICSA-23-215-02Aug 3, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A cryptographic weakness in Mitsubishi Electric GOT2000 and GOT SIMPLE HMI terminal products, as well as GT Designer3 Version1 (GOT2000) and GT SoftGOT2000 engineering software, allows an attacker on the network to sniff encrypted password packets and decrypt them in plaintext. This affects GOT2000 models GT21, GT23, GT25, and GT27 running firmware version 01.49.000 or earlier, GOT SIMPLE models GS25 and GS21 running firmware 01.49.000 or earlier, and the engineering/emulation software versions 1.295H or earlier. Successful exploitation allows an attacker to obtain operator and engineer credentials, potentially enabling unauthorized control of connected industrial processes.
What this means
What could happen
An attacker on your network could intercept and decrypt passwords used by operators and engineers to access GOT HMI/SCADA systems, potentially allowing them to impersonate legitimate users and alter process parameters or halt production.
Who's at risk
Energy sector operators using Mitsubishi Electric GOT HMI/SCADA products (GOT2000, GOT SIMPLE, and GT Designer3/SoftGOT2000 engineering software) for process monitoring and control in power plants, substations, and distribution systems should prioritize this update. Any facility that uses GOT devices to display or control critical electrical or water processes is at risk.
How it could be exploited
An attacker with network access (internal LAN or remote if the device is Internet-exposed) can sniff unencrypted password packets between the GOT device and connected engineering workstations or other systems. The attacker can then decrypt the password to gain unauthorized access to the HMI to control connected PLCs and processes.
Prerequisites
- Network access to the same LAN as the GOT device, or remote access if the device is exposed to the Internet
- Ability to capture network traffic (packet sniffer running on the attacker's computer or a compromised device on the network)
- No authentication or special privileges required to perform the attack
Remotely exploitable if device is Internet-exposedNo authentication required to sniff and decrypt passwordsLow attack complexityAffects HMI/SCADA systems that control physical processesHigh CVSS score (7.5)
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (4)
4 with fix
ProductAffected VersionsFix Status
GT Designer3 Version1 (GOT2000): <= 1.295H≤ 1.295H1.300N
GT SoftGOT2000: <= 1.295H≤ 1.295H1.300N
GOT2000 (Models GT21, GT23, GT25, GT27): <= 01.49.000≤ 01.49.00001.50.000
GOT SIMPLE (Models GS25, GS21): <= 01.49.000≤ 01.49.00001.50.000
Remediation & Mitigation
0/8
Do now
0/1WORKAROUNDConfigure IP filter function on affected products to restrict access to trusted engineering workstations and operator consoles only
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
GT Designer3 Version1 (GOT2000): <= 1.295H
HOTFIXUpdate GT Designer3 Version1 (GOT2000) to v1.300N or later
HOTFIXUpdate GT SoftGOT2000 to v1.300N or later
HOTFIXUpdate GOT2000 (Models GT21, GT23, GT25, GT27) to v01.50.000 or later
GOT SIMPLE (Models GS25, GS21): <= 01.49.000
HOTFIXUpdate GOT SIMPLE (Models GS25, GS21) to v01.50.000 or later
Long-term hardening
0/3HARDENINGEncrypt communication paths between GOT devices and connected systems using a VPN or equivalent encryption
HARDENINGIsolate GOT HMI/SCADA network from business network and Internet with firewalls and network segmentation
HARDENINGInstall antivirus software on engineering workstations that access the affected products
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/ed5fd13f-9e0e-4764-aab2-0b86be9a739a