Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.3651
Advisory (icsa-22-202-04) ICONICS Suite and Mitsubishi
Electric MC Works64 Products
27 July 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: ICONICS Suite and Mitsubishi Electric MC Works64 Products
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2022-33320 CVE-2022-33319 CVE-2022-33318
CVE-2022-33317 CVE-2022-33316 CVE-2022-33315
CVE-2022-29834
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-202-04
Comment: CVSS (Max): 9.8 CVE-2022-33318 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-202-04 )
ICONICS Suite and Mitsubishi Electric MC Works64 Products
Original release date: July 21, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 9.8
o ATTENTION: Low attack complexity
o Vendors: ICONICS, Mitsubishi Electric
o Equipment: ICONICS Product Suite, MC Works64
o Vulnerabilities: Path Traversal, Deserialization of Untrusted Data,
Inclusion of Functionality from Untrusted Control Sphere, Out-of-Bounds
Read
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could result in information
disclosure, remote code execution, or a denial-of-service condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following SCADA products are affected:
o ICONICS GENESIS64: Version 10.97.1 and prior
o ICONICS Hyper Historian: Version 10.97.1 and prior
o ICONICS AnalytiX: Version 10.97.1 and prior
o ICONICS IoTWorX: Versions 10.97 and 10.97.1
o ICONICS MobileHMI: Versions 10.97 and 10.97.1
o ICONICS GraphWorX64: Version 10.97.1 and prior
o ICONICS GenBrokerX64: Version 10.97.1 and prior
o Mitsubishi Electric MC Works64: Version 4.04E and prior (v10.95.210.01),
excluding CVE-2022-29384
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH
TRAVERSAL') CWE-22
ICONICS MobileHMI and IoTWorX IoT Visualizer products are affected by a path
traversal vulnerability. If exploited, then this could allow traversing of the
file system and access to files or directories that are outside the restricted
directory on the MobileHMI server or the IoTWorX IoT Visualizer server. This
traversal could then result in information disclosure.
CVE-2022-29834 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:H/
I:N/A:N ).
3.2.2 DESERIALIZATION OF UNTRUSTED DATA CWE-502
GraphWorX64, contained in all ICONICS Suite products and Mitsubishi Electric MC
Works64 products, has multiple vulnerabilities regarding the deserialization of
untrusted data that, if exploited, could result in code execution.
CVE-2022-33315 and CVE-2022-33316 have been assigned to this vulnerability. A
CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is ( AV:L/
AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ).
3.2.3 INCLUSION OF FUNCTIONALITY FROM UNTRUSTED CONTROL SPHERE CWE-829
GraphWorX64 scripting, contained in all ICONICS Suite products and Mitsubishi
Electric MC Works64 products, is based on JScript and .NET. It stores script
code in the GraphWorX64 project files. These project files could be directly
edited that could result in code execution if exploited.
CVE-2022-33317 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/C:H/
I:H/A:H ).
3.2.4 DESERIALIZATION OF UNTRUSTED DATA CWE-502
GenBrokerX64, contained in all ICONICS Suite products and Mitsubishi Electric
MC Works64 products, contains a deserialization vulnerability that could result
in remote code execution if exploited.
CVE-2022-33318 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:H/
I:H/A:H ).
3.2.5 OUT-OF-BOUNDS READ CWE-125
GenBrokerX64, contained in all ICONICS Suite products and Mitsubishi Electric
MC Works64 products, contains an out-of-bounds read issue which could result in
information disclosure or a denial-of-service condition if exploited.
CVE-2022-33319 has been assigned to this vulnerability. A CVSS v3 base score of
8.2 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:L/
I:N/A:H ).
3.2.6 DESERIALIZATION OF UNTRUSTED DATA CWE-502
All ICONICS Suite and Mitsubishi Electric MC Works64 products contain a
deserialization vulnerability that could enable malicious project configuration
files to execute arbitrary code via XML code on the files.
CVE-2022-33320 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been assigned; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/C:H/
I:H/A:H ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: ICONICS is headquartered in the United
States; Mitsubishi Electric is headquartered in Japan
3.4 RESEARCHER
Chris Anastasio, Noam Moshe, Steven Seeley, Alex Birmberg, Ben McBride, and
Axel '0vercl0k' Souchet, working with Trend Micro Zero Day Initiative, reported
these vulnerabilities to CISA.
4. MITIGATIONS
ICONICS and Mitsubishi Electric recommend updating the ICONICS Suite and MC
Works64 software with the latest security patches as they become available.
ICONICS Suite security patches may be found here (login required) and MC
Works64 security patches may be found here .
ICONICS and Mitsubishi Electric are releasing security updates as critical
fixes/rollup releases and security patches. Refer to the ICONICS Whitepaper on
Security Vulnerabilities, the most recent version of which can be found here ,
and to the Mitsubishi Electric's security advisory for information on the
availability of the security updates. Note: ICONICS and Mitsubishi Electric
products version 10.97.2 and later are not vulnerable to these exploits.
ICONICS and Mitsubishi Electric recommend users of these products take the
following mitigation steps:
o Use a firewall; consider using a Web Application Firewall (WAF). Place
control system networks and devices behind firewalls and isolate them from
the business network.
o Restrict access to all TCP ports such as port 38080 and 6002. If remote
access is required, utilize secure remote access methods, such as Virtual
Private Networks (VPNs).
o Minimize network exposure for all control system devices. Control system
devices should not directly face the internet.
o Minimize the attack surface by turning off services and point managers
which will not be used.
o Do not click web links or open unsolicited attachments in email messages.
o Install the applicable critical fixes/rollup releases when available.
Mitsubishi Electric also recommends specific action for specific versions of MC
Works64:
o For users with MC Works64 Version 4.00 through 4.03D, contact Mitsubishi
Electric to receive the Version 4.04E installer. Apply the latest security
patches once updated.
o For users with MC Works64 Version 3.04E and prior, contact Mitsubishi
Electric for assistance.
Additional information and useful links are found on the ICONICS GENESIS64
security updates page.
Additional information and useful links are found on Mitsubishi Electric's
security advisory .
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability these vulnerabilities. Specifically, users
should:
o Minimize network exposure for all control system devices and/or systems,
and ensure they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls and
isolate them from business networks.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize VPN is only
as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber
defense best practices are available for reading and download, including
Improving Industrial Control Systems Cybersecurity with Defense-in-Depth
Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage at cisa.gov/ics in the technical information paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing suspected malicious activity should follow established
internal procedures and report findings to CISA for tracking and correlation
against other incidents.
No known public exploits specifically target these vulnerabilities. These
vulnerabilities are not exploitable remotely.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBYuDLnskNZI30y1K9AQiGWg/+JwF4kUWhjJNrRQogX84KqLyhDz1kpTwn
yeheIhAaoBggMszj5yc/TP4iLKZRbuCtZmnj92TQTcE+qjkqQb3YJ4t6OUyDo9e3
1j9IsAd+HQASRG0vp5og4znnJJ80WWbc8iUyjqEqARvTTObQf80CS63M8S5/sg5G
2yKhnvuKTdJoqnA05jTV4zoYjRZofHQv0UtlctdNuTQ2JrKRZQPZVsP3Ydsxdwf/
/pDGfgO1P8QVdqIXGu652UwIlxTilhAhedfHgU9MDX1ws4cKV7PXMzectBOsx32o
b1sDeL8js843DVA7/jm4p6ddJAiDV0wZSsvcV25IdX1mPKVRSLo+8U0rLLhiaOWz
ou1gz8gMs9NBv1xHp48IrzIxjL/KV5GPggqUra5/tIQ2d65V9qaIN/uqe24Qrb4x
X/pd5q8Na53fo3duQsK3qSANZGr3t/eYCm7clBn+JVqqSpx8IBz39pYJZqbd1jZa
a5SmNfXTK7Q4ii9BwwBGYtC52+/XjkycgDBk1tQRk92ewAGSz7FHVtFiHQ+xY/rF
soDbNl76avliNNm8HLQeczzmrgzkGGkox6AZFwnJU7MbA8qiYGjNSfiV5PygpJVz
yeXaRT/YWFIsKHdK3o+i7qFOz/83b7ALgGy9N/h/f/6TaLSzEuXXmqnYdQjhQrIH
lhgbtr7g4YU=
=Pq1/
-----END PGP SIGNATURE-----