As he informed last week, the Cybersecurity and Infrastructure Security Agency US (CISA), dozens of Mitsubishi Electric factory automation products, are affected by three defects that can be exploited for escalation of privileges, arbitrary code execution and attacks DoS.
Mitsubishi has already released patches for many of the affected products and also provides mitigation methods for the rest, but also for customers who can not immediately install the updates.
The cybersecurity company, Claroty, was the one who revealed them errors at Mitsubishi in late 2019 and early 2020, as part of the ICS project archive search. In fact, Claroty recently released an open source tool that allows researchers to analyze database files Microsoft Access related to applications SCADA.
The Claroty researcher who discovered these vulnerabilities, Mashav Sapir, said it discovered defects in one of the products, which had been used by a customer, but applauded Mitsubishi for providing a complete list of affected products.
Sapir noted that one of the flaws, the CVE-2020-14523, can be exploited remotely, tricking a user into opening a specially crafted file through a phishing attack.
The intruder could take advantage of this vulnerability to drop a malware executable file on the target system and then exploit the other two errors, CVE-2020-14496 ή CVE-2020-14521 to run this file with enhanced privileges.
"An attacker who manages to exploit these vulnerabilities will gain full access and control over the computer which uses Mitsubishi engineering software ", the researcher explained. "This means that it has full access to both the configuration of ICS devices and the ability to change it at will, as well as full network access to these devices, so it also has the ability to attack them directly. "This means that an attacker could now compromise the operation of the OT environment by modifying it or shutting it down completely without detection."