The US Cybersecurity and Infrastructure Security Agency (CISA) has urged manufacturing companies to apply mitigations after one Rockwell Automation and several Mitsubishi systems were found to be vulnerable to cyber-attacks.
In a new industrial control systems (ICS) security advisory published on October 31, CISA shared details on four sets of recently discovered vulnerabilities affecting ICS systems:
- Rockwell Automation FactoryTalk ThinManager
- Mitsubishi Electric FA Engineering Software Products
- Mitsubishi Electric Multiple FA Engineering Software Products
- Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series
The vulnerabilities affecting Rockwell Automation FactoryTalk ThinManager, CVE-2024-10386 and CVE-2024-10387, are a missing authentication for critical function and an out-of-bounds read, respectively. Successful exploitation of these vulnerabilities could allow an attacker to send crafted messages to the device, resulting in database manipulation or a denial-of-service condition.
These critical vulnerabilities (CVSS scores of 9.3 and 8.7) are exploitable remotely and require low attack complexity.
The major vulnerability affecting Mitsubishi Electric FA Engineering Software Products, CVE-2023-6943, has a CVSS score of 9.8.
It would allow an attacker to execute a malicious code by remotely calling a function with a path to a malicious library while connected to the products. As a result, unauthorized users may disclose, tamper with, destroy or delete product information, or cause a denial-of-service (DoS) condition on the products.
The major vulnerability affecting Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series, CVE-2023-2060, has a CVSS score of 8.7.
This authentication bypass vulnerability in an FTP function on an EtherNet/IP module is due to weak password requirements. It would allow a remote, unauthenticated attacker to access the module via FTP by dictionary attack or password sniffing.
The advisory includes other vulnerabilities with lower severity scores.
CISA Mitigation Recommendations
Rockwell Automation and Mitsubishi shared specific recommendations to mitigate exploitation of all of these vulnerabilities. These can be found in CISA’s advisory.
CISA also recommended users take defensive measures to minimize the risk of exploitation of these vulnerabilities. These include:
- Minimizing network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet
- Locating control system networks and remote devices behind firewalls and isolating them from business networks
- When remote access is required, using more secure methods, such as virtual private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available