Researchers at Nozomi Networks say they have discovered five vulnerabilities in Mitsubishi safety programmable logic controllers.
Some of the vulnerabilities allow an attacker to exchange packets, while others also allow them to snoop on network traffic between a targeted controller and its corresponding engineering workstation.
Mitsubishi has released a series of advisories on their website detailing potential mitigations, but there are currently no patches available for the bugs. Nozomi said that they are disclosing them now because it is “likely” that the problem is not unique to Mitsubishi PLCs. For that reason, the researchers are not releasing a proof of concept or much in the way of technical details.
“It’s likely that the types of issues we uncovered affect the authentication of OT protocols from more than a single vendor, and we want to help protect as many systems as possible,” the authors wrote. “Our general concern is that asset owners might be overly reliant on the security of the authentication schemes bolted onto OT protocols, without knowing the technical details and the failure models of these implementations.”
At a general level, the vulnerabilities affect the authentication protocols of MELSOFT, the communications protocol used by Mitsubishi safety PLCs and workstations. Initially, they allowed a malicious actor to get access to a cleartext version of the password after submitting a username using brute force techniques.
This exposure was apparently fixed through mitigations on Mitsubishi’s side, and new functionalities were added to prevent brute force attempts, but this wound up creating another problem. The mechanism to do this was overly restrictive and essentially allowed an attacker to conduct a denial of service attack on other parties.
“The consequence of this design is that if an attacker sends a limited number of passwords to the PLC, enough to trigger the anti-brute-force protection, all users with legitimate credentials are effectively blocked from authenticating with the device,” the researchers wrote.
Owners can either reboot and reauthenticate or block the packets and logging in again after the authentication window expires.
They also found at least two instances of password equivalent secrets leaking from packets that would allow an attacker to authenticate themselves with a controller. Since MELSOFT does not tie session tokens to IP addresses, attackers can also re-use them if they’re able to read the packet. Finally, they can change the passwords for registered users, locking out asset owners and forcing a full shutdown of the PLC.
For mitigation, the researchers advise defenders to put in place extra security protections for initial access to the PLC itself, as well as the link between the PLC and workstation in order to prevent access to MELSOFT. Because usernames and passwords are part of the data that leaks in cleartext, both should be updated.
