Security
Headlines
HeadlinesLatestCVEs

Headline

Critical Auth Bugs Expose Smart Factory Gear to Cyberattack

Factory automation software from Mitsubishi Electric and Rockwell Automation could be subject to remote code execution (RCE), denial-of-service (DoS), and more.

DARKReading
#vulnerability#ios#dos#rce#auth

Source: frans lemmens via Alamy Stock Photo

Critical security vulnerabilities affecting factory automation software from Mitsubishi Electric and Rockwell Automation could variously allow remote code execution (RCE), authentication bypass, product tampering, or denial-of-service (DoS).

That’s according to the US Cybersecurity and Infrastructure Security Agency (CISA), which warned yesterday that an attacker could exploit the Mitsubishi Electric bug (CVE-2023-6943, CVSS score of 9.8) by calling a function with a path to a malicious library while connected to the device — resulting in authentication bypass, RCE, DoS, or data manipulation.

The Rockwell Automation bug (CVE-2024-10386, CVSS 9.8), meanwhile, stems from a missing authentication check; a cyberattacker with network access could exploit it by sending crafted messages to a device, potentially resulting in database manipulation.

The critical vulnerabilities are two out of several issues affecting Mitsubishi’s and Rockwell Automation’s smart-factory portfolios, all listed in CISA’s Halloween disclosure. Both industrial control systems (ICS) suppliers have issued mitigations for manufacturers to follow in order to avoid future compromise.

The noncritical bugs include:

  • An out-of-bounds read that could result in DoS (CVE-2024-10387, CVSS 7.5) also affects the Rockwell Automation FactoryTalk ThinManager.

  • A remote unauthenticated attacker may be able to bypass authentication in Mitsubishi Electric FA Engineering Software Products by sending specially crafted packets (CVE-2023-6942, CVSS 7.5). And the Mitsubishi Electric portfolio is also vulnerable to several lower-severity bugs, CISA noted.

  • An authentication bypass vulnerability in the Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series (CVE-2023-2060, CVSS 8.7) exists in its FTP function on EtherNet/IP modules. Weak password requirements could allow a remote, unauthenticated attacker to access the module via FTP by dictionary attack or password sniffing. Meanwhile, several other lower-severity issues also affect the platform, CISA noted.

Related:Dark Reading Confidential: Pen-Test Arrests, 5 Years Later

Manufacturers should apply patches and mitigations as soon as possible, given that smart factories are among the most-targeted ICS sectors. The news also comes as nation-state attacks on US critical infrastructure have ramped up, with CISA warning that both Russian and Chinese advanced persistent threats (APTs) show no signs of letting up their assaults on utilities, telecoms, and other high-value targets. Canada as well recently warned of sustained cyber assaults from China on its critical infrastructure footprint.

Related:IT Security Centralization Makes the Use of Industrial Spies More Profitable

About the Author

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Related news

THN Recap: Top Cybersecurity Threats, Tools, and Practices (Oct 28 - Nov 03)

This week was a total digital dumpster fire! Hackers were like, "Let's cause some chaos!" and went after everything from our browsers to those fancy cameras that zoom and spin. (You know, the ones they use in spy movies? 🕵️‍♀️) We're talking password-stealing bots, sneaky extensions that spy on you, and even cloud-hacking ninjas! 🥷 It's enough to make you want to chuck your phone in the ocean.

DARKReading: Latest News

Too Much 'Trust,' Not Enough 'Verify'