Mitsubishi Electric Factory Automation Products

Act Now7.5ICS-CERT ICSA-24-004-02Jan 4, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Mitsubishi Electric OPC UA server products contain information disclosure and denial-of-service vulnerabilities (CWE-208, CWE-415, CWE-843). These products are commonly deployed as bridges between Mitsubishi programmable logic controllers and supervisory control and monitoring software. An unauthenticated attacker with network access can send malicious requests to trigger information leakage or cause the server to become unresponsive. This would disrupt real-time communication for process monitoring and control operations.

What this means

What could happen

An attacker could disclose information from these OPC UA servers or cause them to stop responding, disrupting communication between plant control systems and monitoring software that depends on real-time data for operations.

Who's at risk

Energy utilities and manufacturing facilities using Mitsubishi Electric factory automation products should focus on this issue. It affects OPC UA servers that bridge plant control systems (PLCs like FX5 series, MELSEC iQ-R) and supervisory software. The MX OPC Server UA in MC Works64, OPC UA Server Unit modules, FX5-OPC gateways, GT SoftGOT2000 HMI, and OPC UA Data Collector are all affected. Any facility relying on these products for real-time monitoring or control data interchange is at risk.

How it could be exploited

An attacker on the network sends specially crafted requests to the OPC UA server ports without authentication. The server processes the request in an unsafe way, either leaking sensitive data or crashing. No user interaction is required.

Prerequisites

Network access to the OPC UA server port (typically 4840 or configured port)
No valid credentials required
Server must be reachable from attacker's network segment

remotely exploitableno authentication requiredlow complexityhigh EPSS score (88.5%)no patch available for most productsaffects industrial automation and SCADA monitoring

Exploitability

High exploit probability (EPSS 88.5%)

Affected products (5)

1 with fix4 EOL

ProductAffected VersionsFix Status

FX5-OPC: <=1.006_≤ 1.0061.010 or later

OPC UA Server Unit: vers:all/*All versionsNo fix (EOL)

GT SoftGOT2000: >=1.275M|<1.290C≥ 1.275M|<1.290CNo fix (EOL)

OPC UA Data Collector: <=1.04E≤ 1.04ENo fix (EOL)

MX OPC Server UA (Software packaged with MC Works64): >=3.05F_Packaged_with_MC_Works64_4.03D≥ 3.05F Packaged with MC Works64 4.03DNo fix (EOL)

Remediation & Mitigation

0/7

Do now

0/4

WORKAROUNDBlock access to OPC UA server ports from untrusted networks using firewalls; restrict to internal LAN only

HARDENINGEnable security policy in OPC UA Server Unit configuration (set to something other than 'None')

HARDENINGConfigure IP filter on FX5-OPC to allow access only from trusted engineering workstations and control systems

HARDENINGValidate and do not import untrusted certificates into OPC UA applications

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade FX5-OPC to version 1.010 or later

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: OPC UA Server Unit: vers:all/*, GT SoftGOT2000: >=1.275M|<1.290C, OPC UA Data Collector: <=1.04E, MX OPC Server UA (Software packaged with MC Works64): >=3.05F_Packaged_with_MC_Works64_4.03D. Apply the following compensating controls:

HARDENINGUse VPN or restricted network access when OPC UA servers must be accessible over wide-area networks

HARDENINGRestrict physical access to computers and network equipment on the same LAN segment as OPC UA servers

CVEs (3)

CVE-2022-4304 CVE-2022-4450 CVE-2023-0286

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6e3b7fd4-da17-4b6f-a5f2-dc22f2fdbd13