Rewterz Threat Advisory – ICS: ICONICS and Mitsubishi Electric HMI SCADA

Severity

High

Analysis Summary

CVE-2022-23127

ICONICS MobileHMI and Mitsubishi Electric MC Mobile products lack proper validation checks on user input and external data when they are used to render a page to the client.

CVE-2022-23128 

The FrameWorX Server in all ICONICS Suite and Mitsubishi Electric MC Works64 products can allow an attacker to bypass GENESIS64 /MC Works64 security when opening a communication channel to the WebSocket endpoint (Port 80 or 443) of the FrameWorX Server.

CVE-2022-23129

The GENESIS64 and MC Works64 Workbench “export to CSV” function may expose a password in plain text when used to export the GridWorX Server configuration.

CVE-2022-23130

A coding error in the SQL query engine memory allocation code makes it possible to execute a series of SQL commands in a GENESIS64 system or a MC Works64 system, which could cause a crash of the SQL Query Engine and result in the disabling of the SQL Server.

Impact

• Unauthorized Access
• Cross-Site Scripting
• Buffer Overflow
• Code Execution

Affected Vendors

• ICONICS and Mitsubishi Electric

Affected Products

• CWE-79 All versions up to and including 10.96.2
• CWE-184 All versions from 10.95.3 to 10.97
• CWE-256 All versions from 10.90 to 10.97
• CWE-126 All versions up to and including 10.97
• CWE-79 All versions prior to 4.04E (10.95.210.01)
• CWE-184 MC Works64: Version 4.00A (v10.95.201.23) to 4.04E (v10.95.210.01)
• CWE-256 All versions prior to 4.04E (10.95.210.01)
• CWE-126 MC Works64: Version 4.00A (v10.95.201.23) to 4.04E (v10.95.210.01)

Remediation

Refer to CISA Advisory for the patch, upgrade, or suggested workaround information.
https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01