Mitsubishi Electric MELSEC iQ-R Series Safety CPU and SIL2 Process CPU (Update A)

MonitorCVSS 6.5ICS-CERT ICSA-24-044-01Feb 13, 2024

Mitsubishi ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in Mitsubishi Electric MELSEC iQ-R Series Safety CPU and SIL2 Process CPU allows a non-administrator user with valid credentials to disclose the credentials (user ID and password) of users with lower access levels. This affects all versions of the R08SFCPU, R16SFCPU, R32SFCPU, R120SFCPU (Safety CPU) and R08PSFCPU, R16PSFCPU, R32PSFCPU, R120PSFCPU (SIL2 Process CPU). A mitigation is available when the CPU version meets minimum thresholds and GX Works3 engineering software version is updated to enable enhanced vulnerability management during credential provisioning. For older versions, no patch will be released.

What this means

What could happen

A user with legitimate access to your safety-critical PLC could extract passwords of other users with lower privileges, potentially allowing unauthorized access to modify safety interlocks or process logic. This directly affects the confidentiality of authentication credentials on devices that control safety functions.

Who's at risk

This affects water utilities and electric utilities operating Mitsubishi Electric MELSEC iQ-R safety-critical programmable logic controllers (PLCs). Specifically, any organization using the Safety CPU (R08SFCPU, R16SFCPU, R32SFCPU, R120SFCPU) or SIL2 Process CPU (R08PSFCPU, R16PSFCPU, R32PSFCPU, R120PSFCPU) models for process control or safety interlocks is vulnerable if their installed firmware and GX Works3 engineering tool versions are below the patched thresholds.

How it could be exploited

An attacker with a valid engineering workstation account on your network uses GX Works3 (the programming tool) to connect to the MELSEC iQ-R CPU and query stored user credentials for accounts with lower privilege levels. The attacker must already have network access and valid credentials to the engineering tool and PLC.

Prerequisites

Valid login credentials for GX Works3 engineering software with at least read access to user database
Network access to the MELSEC iQ-R CPU (typically on engineering LAN)
Access to a personal computer with GX Works3 installed that can communicate with the target CPU
Sufficient privilege level to query user information (non-administrator users can still disclose lower-privilege users' credentials)

No patch available for all versionsAffects safety systems (SIL2-rated devices)Requires authentication but disclosed by insider threatAffects critical industrial control infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (8)

8 EOL

ProductAffected VersionsFix Status

MELSEC iQ-R Series Safety CPU R08SFCPU: vers:all/*All versionsNo fix (EOL)

MELSEC iQ-R Series Safety CPU R16SFCPU: vers:all/*All versionsNo fix (EOL)

MELSEC iQ-R Series Safety CPU R32SFCPU: vers:all/*All versionsNo fix (EOL)

MELSEC iQ-R Series Safety CPU R120SFCPU: vers:all/*All versionsNo fix (EOL)

MELSEC iQ-R Series SIL2 Process CPU R08PSFCPU: vers:all/*All versionsNo fix (EOL)

MELSEC iQ-R Series SIL2 Process CPU R32PSFCPU: vers:all/*All versionsNo fix (EOL)

MELSEC iQ-R Series SIL2 Process CPU R16PSFCPU: vers:all/*All versionsNo fix (EOL)

MELSEC iQ-R Series SIL2 Process CPU R120PSFCPU: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/7

Do now

0/2

WORKAROUNDDeploy network firewall rules to restrict access to the MELSEC iQ-R CPU port (Ethernet) to only authorized engineering workstations and block connections from external networks and untrusted hosts.

WORKAROUNDEnable IP filter function on the MELSEC iQ-R CPU to restrict access to known engineering workstation IP addresses only (refer to MELSEC iQ-R Ethernet User's Manual section 1.13 Security).

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade GX Works3 engineering software to version 1.087R or later (for Safety CPU) or 1.105K or later (for SIL2 Process CPU), and enable 'communicating with only the enhanced version of vulnerability management' when provisioning user credentials to the CPU.

HOTFIXUpgrade MELSEC iQ-R Safety CPU firmware to version 27 or later (if using Safety CPU models); upgrade SIL2 Process CPU firmware to version 12 or later (if using SIL2 Process CPU models) to support the enhanced vulnerability management feature.

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: MELSEC iQ-R Series Safety CPU R08SFCPU: vers:all/*, MELSEC iQ-R Series Safety CPU R16SFCPU: vers:all/*, MELSEC iQ-R Series Safety CPU R32SFCPU: vers:all/*, MELSEC iQ-R Series Safety CPU R120SFCPU: vers:all/*, MELSEC iQ-R Series SIL2 Process CPU R08PSFCPU: vers:all/*, MELSEC iQ-R Series SIL2 Process CPU R32PSFCPU: vers:all/*, MELSEC iQ-R Series SIL2 Process CPU R16PSFCPU: vers:all/*, MELSEC iQ-R Series SIL2 Process CPU R120PSFCPU: vers:all/*. Apply the following compensating controls:

HARDENINGRestrict physical access to MELSEC iQ-R CPUs and to engineering workstations that can communicate with them to authorized personnel only.

HARDENINGSegment the engineering network (where GX Works3 and MELSEC iQ-R devices reside) from corporate and external networks using firewalls or VPN gateways.

HARDENINGInstall and maintain current antivirus software on all personal computers that can access the MELSEC iQ-R CPU to reduce the risk of credential theft via malware.

CVEs (1)

CVE-2023-6815

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/244d633b-9872-4823-83f6-d7f41fc9ee5b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.