Critical Authentication Vulnerabilities Threaten Smart Factory Equipment

November 1, 2024

Factory automation software developed by Mitsubishi Electric and Rockwell Automation is under threat from critical security flaws that could potentially enable remote code execution (RCE), authentication bypass, product manipulation, and denial-of-service (DoS) attacks. The US Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about these vulnerabilities, noting that they could be exploited by attackers to execute malicious activities.

The vulnerability in Mitsubishi Electric's software (CVE-2023-6943) can be exploited by an attacker who calls a function with a path to a malicious library while connected to the device. This could result in authentication bypass, RCE, DoS, or data manipulation. The Rockwell Automation software also has a vulnerability (CVE-2024-10386) that stems from a missing authentication check. An attacker with network access could exploit this vulnerability by sending crafted messages to a device, potentially resulting in database manipulation.

These critical vulnerabilities are among several issues affecting the smart-factory portfolios of Mitsubishi and Rockwell Automation, as detailed in CISA's recent disclosure. Both industrial control systems (ICS) suppliers have provided mitigation strategies for manufacturers to follow to prevent future compromise.

An out-of-bounds read vulnerability (CVE-2024-10387) also affects the Rockwell Automation FactoryTalk ThinManager, potentially leading to a DoS attack. Furthermore, a remote unauthenticated attacker may be able to bypass authentication in Mitsubishi Electric FA Engineering Software Products by sending specially crafted packets (CVE-2023-6942). The Mitsubishi Electric portfolio is also vulnerable to several lower-severity bugs, as noted by CISA.

An authentication bypass vulnerability exists in the Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series (CVE-2023-2060), specifically in its FTP function on EtherNet/IP modules. Weak password requirements could allow a remote, unauthenticated attacker to access the module via FTP by using a dictionary attack or password sniffing. CISA also noted several other lower-severity issues affecting the platform.

Manufacturers are advised to apply patches and mitigations as soon as possible, as smart factories are among the most-targeted ICS sectors. This news comes at a time when nation-state attacks on US critical infrastructure are increasing, with CISA warning that both Russian and Chinese advanced persistent threats (APTs) show no signs of reducing their attacks on utilities, telecoms, and other high-value targets. Canada has also recently issued a warning about sustained cyber attacks from China on its critical infrastructure.

Latest News

• Critical Zero-Day Vulnerabilities Found in PTZ Cameras: Hackers on the Prowl
• High-Severity Flaw in LiteSpeed Cache WordPress Plugin Allows Admin Access to Hackers
• Enhanced LightSpy Spyware Targets iPhones with Advanced Surveillance and Destructive Features
• Google Addresses Critical Vulnerability in Chrome Browser
• Persistent Windows Vulnerability Could Leak User Credentials: Zero-Day Exploit Allows NTLM Hash Theft