Mitsubishi Electric FA Engineering Software contains multiple flaws
Take action: Make sure all Mitsubishi Electric PLCs and engineering software are isolated from the internet and only accessible from trusted networks. Then plan a quick update all affected software (GX Works3, GX Works2, GT Designer3, and related tools) to the latest versions, then enable security key secure mode and set the security version to "2" in all projects.
Learn More
CISA is reporting multiple vulnerabilities in Mitsubishi Electric's Factory Automation (FA) engineering software products. The vulnerabilities could allow remote unauthenticated attackers to gain unauthorized access to MELSEC programmable logic controller (PLC) modules, view and execute programs without permission, and access sensitive project files.
Vulnerabilities summary:
- CVE-2022-29830 (CVSS score 9.1) - Use of Hard-coded Cryptographic Key allowing remote unauthenticated attackers to disclose or tamper with sensitive information and obtain project file data
- CVE-2022-25164 (CVSS score 8.6) - Cleartext Storage of Sensitive Information enabling remote unauthenticated attackers to gain unauthorized access to MELSEC CPU modules and OPC UA server modules
- CVE-2022-29831 (CVSS score 7.5) - Use of Hard-coded Password allowing remote unauthenticated attackers to obtain information about project files for MELSEC safety CPU modules
- CVE-2022-29826 (CVSS score 6.8) - Cleartext Storage of Sensitive Information permitting remote unauthenticated attackers to view programs and project files or execute programs illegally
- CVE-2022-29827 (CVSS score 6.8) - Use of Hard-coded Cryptographic Key enabling remote unauthenticated attackers to view programs and project files or execute programs illegally
- CVE-2022-29828 (CVSS score 6.8) - Use of Hard-coded Cryptographic Key allowing remote unauthenticated attackers to view programs and project files or execute programs illegally
- CVE-2022-29829 (CVSS score 6.8) - Use of Hard-coded Cryptographic Key permitting remote unauthenticated attackers to view programs and project files or execute programs illegally
- CVE-2022-29833 (CVSS score 6.8) - Insufficiently Protected Credentials vulnerability enabling remote unauthenticated attackers to access MELSEC safety CPU modules illegally
- CVE-2022-29825 (CVSS score 5.6) - Use of Hard-coded Password allowing unauthenticated attackers to view programs and project files or execute programs illegally
- CVE-2022-29832 (CVSS score 3.7) - Cleartext Storage of Sensitive Information in Memory enabling remote unauthenticated attackers to obtain information about safety CPU module project files or project files for MELSEC Q/FX/L series with security settings
Affected products include GX Works3 engineering workstation software, which serves as the primary mechanism for programming and maintaining MELSEC iQ-R, iQ-F, and iQ-L series PLCs. Also impacted are MX OPC UA Module Configurator-R, GX Works2, GX Developer, GT Designer3 Version1 for GOT2000 human-machine interfaces, Motion Control Setting software, and MT Works2.
Mitsubishi Electric has released updated versions of the affected software products to address these vulnerabilities. Users should upgrade GX Works3 to version 1.096A or later, MX OPC UA Module Configurator-R to version 1.09K or later, GT Designer3 to version 1.295H or later, Motion Control Setting to version 1.070Y or later, and MT Works2 to version 1.205P or later.
After updating, administrators must enable additional security features including setting security keys to secure mode and configuring security version settings to "2" for projects. Mitsubishi Electric also recommends restricting access to project files and configuration data on host machines, installing antivirus software, encrypting project files during transmission over the internet, and using certificate-based authentication instead of username/password authentication for OPC UA client connections.
