Severity: HIGH
Description: Multiple Mitsubishi Electric Factory Automation engineering software products have a malicious code execution vulnerability. A malicious attacker could use this vulnerability to obtain information, modify information, and cause a denial-of-service condition.
CVSS Score: 8.3
B
No data available.
No data available.
1. Risk Assessment
The vulnerability, identified as CVE-2020-14521, is an unquoted search path or element issue present in multiple Mitsubishi Electric Factory Automation engineering software products. This allows a malicious attacker to potentially execute code, resulting in information theft, data modification, or a denial-of-service condition. The CVSS score of 8.3 (High) indicates a significant risk. Exploitation requires user interaction, meaning an attacker needs to entice a user to execute a malicious file or open a specially crafted project. However, once exploited, the impact is substantial, affecting confidentiality, integrity, and availability across a wide range of affected products. The likelihood of exploitation is moderate, dependent on successful social engineering or targeted attacks. The business impact could range from production downtime and lost data to compromised process control systems, depending on the specific software affected and its role within the industrial environment. Given the breadth of impacted software, the overall risk to organizations utilizing Mitsubishi Electric's Factory Automation suite is considerable.
2. Potential Attack Scenarios
An attacker could craft a malicious project file for one of the affected software packages, such as GT Designer3. They could then deliver this file to an engineer via email or a shared network drive, masquerading it as a legitimate project. When the engineer opens the project, the vulnerable software searches for required libraries or components using an unquoted search path. The attacker’s malicious code, placed in a directory with a space in the name, is then executed before the intended library. This allows the attacker to gain control of the engineer’s workstation, potentially escalating privileges to access the broader control system network. From there, the attacker could steal proprietary process data, modify control logic, or disrupt production by causing a denial-of-service. This attack relies on successful social engineering to get the engineer to open the malicious project file but could be very effective in a targeted attack.
3. Mitigation Recommendations
The primary mitigation is to upgrade the affected Mitsubishi Electric software to the latest patched versions. Mitsubishi Electric provides specific updates for each product identified as vulnerable. Refer to the CISA advisory (https://www.cisa.gov/uscert/ics/advisories/icsa-20-212-04) and the vendor advisory (https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-007_en.pdf) for the specific version requirements for each product.
In addition to patching, organizations should implement these interim measures:
* Implement strong application whitelisting to control which executables can run on engineering workstations.
* Train engineers to be wary of opening project files from untrusted sources.
* Segment the control system network to limit the impact of a successful compromise.
* Regularly scan engineering workstations for malware and vulnerabilities.
* Review and enforce least privilege access controls for engineering workstations and network shares.
4. Executive Summary
Multiple Mitsubishi Electric Factory Automation engineering software products are vulnerable to a malicious code execution issue (CVE-2020-14521). This vulnerability allows attackers to potentially gain control of engineering workstations, steal data, modify process logic, or disrupt production. While exploitation requires a user to interact with a malicious file, the impact can be significant. It is critical to patch all affected software to the latest versions as quickly as possible. This vulnerability poses a moderate to high risk to organizations relying on Mitsubishi Electric’s Factory Automation solutions, and prompt action is needed to minimize potential business disruption and data compromise. The impact spans across several products, so a comprehensive patching effort is required. Prioritize patching based on the criticality of the affected software within your operational environment.