Excessive security vulnerabilities have been identified in logic programmable security controllers (PLCs) that may be used by the enemy to detect official user names registered in the module by malicious attack, illegal login to the CPU module, and result in a state of operation (DoS).
The security vulnerabilities, identified by Nozomi Networks, are related to the use of authentication in the MELSEC communication system used to communicate and exchange data with targeted devices by reading and writing data in the CPU module.
A quick summary of the flaws is listed below -
- Username Brute-force (CVE-2021-20594, CVSS score: 5.9) - Usernames used during authentication are effectively brute-forceable
- Anti-password Brute-force Functionality Leads to Overly Restrictive Account Lockout Mechanism (CVE-2021-20598, CVSS score: 3.7) - The implementation to thwart brute-force attacks not only blocks a potential attacker from using a single IP address, but it also prohibits any user from any IP address from logging in for a certain timeframe, effectively locking legitimate users out
- Leaks of Password Equivalent Secrets (CVE-2021-20597, CVSS score: 7.4) - A secret derived from the cleartext password can be abused to authenticate with the PLC successfully
- Session Token Management - Cleartext transmission of session tokens, which are not bound to an IP address, thus enabling an adversary to reuse the same token from a different IP after it has been generated
Sadly, some of these errors can be grouped together as part of a exploitative chain, allowing the attacker to authenticate with PLC and disrupt security, lock PLC users, and worst of all, change the passwords of registered users, requiring physical closure of the controller to prevent further harm.
Investigators have avoided sharing technical information on risk or proof-of-concept (PoC) code designed to identify attacks because it is likely that doing so could lead to further harassment. While Mitsubishi Electric is expected to release a revised version of the firmware "soon," it has published a series of mitigation measures aimed at protecting workplaces and preventing potential attacks.
It states that it is currently investigating the risk of authenticity with respect to how the sessions are handled, the company recommends a combination of measures to reduce the risk of potential exploitation, including using a firewall to block unauthorized Internet access, an IP filter to block access to IP addresses, and change passwords via USB.
"It is possible that the types of problems we have identified affect the authenticity of OT protocols from more than one vendor, and we want to help protect as many programs as possible," the researchers noted. "Our main concern is that property owners can rely too much on the security of security schemes included in OT agreements, without knowing the technical details and models of the failure of this implementation."
Post a Comment