Lucene search

K
icsIndustrial Control Systems Cyber Emergency Response TeamICSA-23-052-01
HistoryFeb 21, 2023 - 12:00 p.m.

Mitsubishi Electric MELSOFT iQ AppPortal

2023-02-2112:00:00
Industrial Control Systems Cyber Emergency Response Team
www.cisa.gov
31
melsoft iq appportal
remote exploitable
mitsubishi electric
http request smuggling
insufficient verification
apache http server
ip address authentication
critical manufacturing

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.01

Percentile

84.0%

1. EXECUTIVE SUMMARY

  • CVSS v3 9.8 *ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Mitsubishi Electric
  • Equipment: MELSOFT iQ AppPortal
  • Vulnerabilities: HTTP Request Smuggling, Insufficient Verification of Data Authenticity

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow a malicious attacker to make unidentified impacts such as authentication bypass, information disclosure, denial-of-service, or bypass IP address authentication.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Mitsubishi Electric products and versions are affected:

  • MELSOFT iQ AppPortal (SW1DND-IQAPL-M): v1.00A to 1.29F

3.2 VULNERABILITY OVERVIEW

3.2.1 INCONSISTENT INTERPRETATION OF HTTP REQUESTS (β€˜HTTP REQUEST/RESPONSE SMUGGLING’) CWE-444

MELSOFT iQ AppPortal: v1.00A to 1.29F contains a flaw that could result in unidentified impacts such as authentication bypass, information disclosure, or a denial-of-service condition in Apache HTTP Server used by VisualSVN Server.

CVE-2022-26377 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

3.2.2 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345

MELSOFT iQ AppPortal: v1.00A to 1.29F contains a flaw that could result in IP address authentication bypass in the Apache HTTP Server used by VisualSVN Server.

CVE-2022-31813 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • **COUNTRIES/AREAS DEPLOYED:**Worldwide
  • COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Mitsubishi Electric reported these vulnerabilities to CISA.

4. MITIGATIONS

Mitsubishi Electric recommends downloading and applying update version 1.32J or later software.

Mitsubishi Electric recommends users apply the following workarounds or mitigation measures to minimize the risk:

  • Disable mod_proxy and mod_proxy_ajp in the VisualSVN Server settings if possible.
  • When a PC with the product installed needs access to the internet, use a firewall or virtual private network (VPN), etc. to prevent unauthorized access.
  • Use a PC with the product installed within a local area network (LAN) and use a firewall, etc. to minimize connection to the network and restrict access only from trusted networks and hosts.
  • Minimize user privilege for the product users.
  • Install antivirus software on the computer where the product is used.

Users should contact Mitsubishi Electric for assistance, if needed.

For specific update instructions and additional details see the Mitsubishi Electric advisory.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.

References

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.01

Percentile

84.0%