Mitsubishi Electric MELFA SD/SQ series and F-series Robot Controllers

1. EXECUTIVE SUMMARY

• CVSS v3 7.5 *ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Mitsubishi Electric Corporation
• Equipment: MELFA SD/SQ series and F-series Robot Controllers
• **Vulnerability:**Active Debug Code

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to a robot controller.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Mitsubishi Electric reports this vulnerability affects the following Robot Controllers:

• MELFA SD/SQ Series: firmware version S7x and prior
• MELFA SD/SQ Series: firmware version R7x and prior
• MELFA F-Series: firmware version S7x and prior
• MELFA F-Series: firmware version R7x and prior

Note: The affected firmware version depends on the model name; see Mitsubishi Electric’s publication for the specific model names and controller types.

3.2 VULNERABILITY OVERVIEW

3.2.1 ACTIVE DEBUG CODE CWE-489

An authentication bypass vulnerability due to active debug code exists in Mitsubishi Electric MELFA SD/SQ series and F-series controllers for industrial robots. An attacker could gain unauthorized access to a robot controller by performing an unauthorized telnet login.

CVE-2022-33323 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Mitsubishi Electric reported this vulnerability to CISA.

4. MITIGATIONS

Mitsubishi Electric released new firmware versions to address the issue. The fixed firmware version depends on the model name. Users should contact Mitsubishi Electric to obtain the latest firmware version:

• MELFA SD/SQ Series: Update to firmware version S7y or later
• MELFA SD/SQ Series: Update to firmware version R7y or later
• MELFA F-Series: Update to firmware version S7y or later
• MELFA F-Series: Update to firmware version R7y or later

Mitsubishi Electric recommends users take the following mitigation measures to minimize the risk of an attacker exploiting this vulnerability:

• Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when internet access is required.
• Use affected products within a local area network (LAN) and block access from untrusted networks and hosts through firewalls.

For specific update instructions and additional details, see the Mitsubishi Electric advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability these vulnerabilities. Specifically, users should:

• Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolate them from business networks.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.