A Widely Deployed Mitsubishi Industrial Controller Is Vulnerable to Remote Exploitation

• All versions of the Mitsubishi Electric MELSEC iQ-R Series CPU module are vulnerable to remote exploitation.
• There are no fixing patches available right now, so mitigation is the only way to address the threat.
• With the issues going public, malicious actors are sure to ramp up their scanning efforts now.

CISA has released an urgent security notice to warn the public about a set of flaws that affect the MELSEC iQ-R Series CPU module by Mitsubishi Electric, which is deployed in critical manufacturing sectors around the world. There are no fixing patches to address the flaws yet, so users of the vulnerable product are urged to apply mitigations as soon as possible. Not responding to the emergency quickly puts the users at risk of unauthorized remote access, CPU module access, DoS, network traffic sniffing, and more.

The flaws are the following:

• CVE-2021-20594: Brute-forcing the module remotely to acquire legitimate usernames. CVSS v3 – 5.9
• CVE-2021-20597: Obtain unprotected credentials by sniffing the network traffic. CVSS v3 – 7.4
• CVE-2021-20598: Lock out a legitimate user (denial of service) by remotely attempting to log in using a known username and incorrect passwords. CVSS v3 – 3.7

The vulnerable products are all versions of the R08/16/32/120SFCPU and all versions of the R08/16/32/120PSFCPU. Mitsubishi has promised to push out firmware fixes for the first two of the flaws (the third one will be automatically addressed as a result). Still, until then, users are advised to apply the following mitigations:

• Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
• Use within a LAN and block access from untrusted networks and hosts through firewalls.
• Use the IP filter function* to restrict the accessible IP addresses.
• Register user information or change the password via USB. If you have already registered user information or changed the user’s password via the network, change the password once via USB. This mitigation is applicable to CVE-2021-20597.

Since all three flaws can be exploited remotely, it is more likely for malicious actors to go hunting for them now that CISA has published an alert on them. As such, minimizing network exposure for all control systems and devices is key, as not showing up as vulnerable on network scans is a solid step to avoiding trouble. Another good practice would be to put those devices behind strict firewalls and isolate them from critical parts of your business network.