Mitsubishi Electric FA Engineering Software Products (Update D)

Act Now9.8ICS-CERT ICSA-24-030-02Jan 30, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple Mitsubishi Electric FA engineering software products contain vulnerabilities in authentication and data handling. Affected products include EZSocket (versions 3.0 to 5.92), GT Designer3 for GOT1000 and GOT2000, GX Works2, GX Works3, MELSOFT Navigator, MT Works2, MX Component, and MX OPC Server DA/UA. These products are used to develop, program, and configure industrial control devices such as PLCs and HMIs. An attacker with network access can exploit these vulnerabilities to disclose, modify, or delete project files and configurations, or to cause the software to stop responding. The vulnerabilities do not require authentication and have a straightforward attack vector.

What this means

What could happen

An attacker with network access to these engineering workstations could read, modify, or delete project files and configurations used to program industrial equipment, or interrupt the workstations' operation. Since these tools are used to develop and deploy logic to PLCs and HMIs, compromise could lead to unauthorized changes to plant control logic or loss of engineering work.

Who's at risk

Electrical utilities and other industrial organizations that use Mitsubishi Electric FA (Factory Automation) engineering software products to program and configure PLCs, HMIs, and other control devices. This includes anyone responsible for GT Designer, GX Works, MELSOFT Navigator, MT Works, MX Component, or EZSocket software on engineering workstations.

How it could be exploited

An attacker reaches the engineering workstation over the network (remotely or from an adjacent network segment). No credentials are required. The attacker exploits one of these software products to execute code, read files, or crash the application. If the attacker gains code execution, they could modify control logic files before they are deployed to field devices like PLCs or HMIs, or they could steal configuration data for critical processes.

Prerequisites

Network access to the engineering workstation running one of the affected Mitsubishi products (port and protocol depend on the specific product)
No authentication required for exploitation
The affected product must be installed and running on the target workstation

Remotely exploitableNo authentication requiredLow attack complexityNo patch available for several products (EZSocket, GT Designer3, MELSOFT Navigator affected versions)Affects engineering workstations used to configure safety-critical systemsHigh CVSS score (9.8)

Exploitability

Moderate exploit probability (EPSS 4.0%)

Affected products (9)

8 with fix1 pending

ProductAffected VersionsFix Status

MX OPC Server DA/UA (Software packaged with MC Works64): vers:all/*All versionsNo fix yet

EZSocket: >=3.0|<5.92≥ 3.0|<5.925.A

GT Designer3 Version1(GOT1000): <=1.325P≤ 1.325P1.330U

GT Designer3 Version1(GOT2000): <=1.320J≤ 1.320J1.325P

GX Works2: >=1.11M|<1.626C≥ 1.11M|<1.626C1.630G

GX Works3: <=1.106L≤ 1.106L1.110Q

MELSOFT Navigator: >=1.04E|<2.102G≥ 1.04E|<2.102G2.106L

MT Works2: <=1.190Y≤ 1.190Y1.195D

Remediation & Mitigation

0/13

Do now

0/1

WORKAROUNDConfigure firewall or VPN to restrict network access to engineering workstations; only allow trusted users and systems to reach these machines

Schedule — requires maintenance window

0/8

Patching may require device reboot — plan for process interruption

GT Designer3 Version1(GOT1000): <=1.325P

HOTFIXUpdate GT Designer3 Version1(GOT1000) to version 1.330U or later

GT Designer3 Version1(GOT2000): <=1.320J

HOTFIXUpdate GT Designer3 Version1(GOT2000) to version 1.325P or later

All products

HOTFIXUpdate EZSocket to version 5.A or later

HOTFIXUpdate GX Works2 to version 1.630G or later

HOTFIXUpdate GX Works3 to version 1.110Q or later

HOTFIXUpdate MELSOFT Navigator to version 2.106L or later

HOTFIXUpdate MT Works2 to version 1.195D or later

HOTFIXUpdate MX Component to version 5.008J or later

Long-term hardening

0/4

HARDENINGKeep engineering workstations on isolated LAN segments; block inbound connections from untrusted networks

HARDENINGRestrict physical access to engineering workstations and to network devices that can communicate with them

HARDENINGInstall and maintain current antivirus software on all engineering workstations and machines with network access to them

HARDENINGTrain users not to open untrusted files or click untrusted links on engineering workstations

CVEs (2)

CVE-2023-6942 CVE-2023-6943

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close