Mitsubishi Electric MELSEC WS Series Active Debug Code (CVE-2023-1618)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(501187);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/04");

  script_cve_id("CVE-2023-1618");

  script_name(english:"Mitsubishi Electric MELSEC WS Series Active Debug Code (CVE-2023-1618)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"Active Debug Code vulnerability in Mitsubishi Electric Corporation
MELSEC WS Series WS0-GETH00200 all versions allows a remote
unauthenticated attacker to bypass authentication and illegally log
into the affected module by connecting to it via telnet which is
hidden function and is enabled by default when shipped from the
factory. As a result, a remote attacker with unauthorized login can
reset the module, and if certain conditions are met, he/she can
disclose or tamper with the module's configuration or rewrite the
firmware.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  # https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-002_en.pdf
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?47ecc2a6");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-23-138-02");
  script_set_attribute(attribute:"see_also", value:"https://jvn.jp/vu/JVNVU96063959");
  script_set_attribute(attribute:"solution", value:
'The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Mitsubishi Electric has released the following versions to fix this vulnerability:

- WS0-GETH00200: Serial numbers 2311**** and later.

For the affected products, Mitsubishi Electric recommends users to take the following mitigation measures:

- Set password for telnet sessions that are difficult for third parties to guess. The password can be up to 15
characters long. Note that "[space]" in the input string represents a single-byte space. Users can change the password
for the telnet session of the affected product by using the telnet client and performing:
- Password setting: 
    - Enter "telnet[space]" followed by the IP address of the affected product and press the Enter key.
    - When "Password" is displayed, press the Enter key without entering anything.
    - When "telnet>" is displayed, enter "password[space]" followed by the desired password string and press the Enter
key.
    - Enter "quit" and press the Enter key.
- Confirm the password is set: 
    - After the Password setting process, enter "telnet[space]" followed by the IP address of the affected product and
press the Enter key.
    - When "Password" is displayed, enter the password string set in the Password setting process and press the Enter
key.
    - If "telnet>" is displayed, the password is set correctly.
    - Enter "quit" and press the Enter key.

Alternatively, Mitsubishi Electric recommends that users take the following mitigation measures to minimize the risk of
exploiting this vulnerability:

- Use a firewall, virtual private network (VPN), etc. to prevent unauthorized access when internet access is required.
- Use product within a local area network (LAN) and use firewalls to block access from untrusted networks and hosts.
- Restrict physical access to prevent untrusted devices from connecting to the LAN.
- For more information, see Mitsubishi Electric’s Security Advisory.');
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:C/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-1618");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(1188);

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/05/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/05/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/06/12");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mitsubishielectric:melsec_ws0-geth00200_firmware");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Mitsubishi");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Mitsubishi');

var asset = tenable_ot::assets::get(vendor:'Mitsubishi');

var vuln_cpes = {
    "cpe:/o:mitsubishielectric:melsec_ws0-geth00200_firmware" :
        {"family" : "MELSECWS"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);