Cybersecurity Agency and Protection of the US infrastructure (CISA) this week has issued a recommendation warning of numerous vulnerabilities in the engineer in Mitsubishi Electric GX Works3.
“Successful exploitation of these vulnerabilities allows unauthorized attackers to view and perform programs, gain access to the processor modules of the Melsec IQ-R/F/L Server Module Melsec IQ-R OPC UA,” says community agencies.
GX Works3 – the last generation by Mitsubishi Electric for programming and maintenance, specially designed for the Melsec IQ -R series control systems. It includes many new opportunities, such as graphic configuration of the system, built -in setting up positioning tools, support for multilingualism, which creates an intuitive development environment.
Experts divided 10 discovered vulnerabilities into several groups:
Three vulnerabilities are associated with the storage of confidential data in open form;
Four vulnerabilities are associated with the use of a rigidly encoded cryptographic key;
Two – using a rigidly encoded password;
One applies to insufficient protection of accounting data.
The most dangerous gaps in defense- cve-2022-25164 and cve-2022-29830 , have 9.1 out of 10 on the CVSS scale. Attackers can use them to gain access to the processor module and collect information information without obtaining any permits.
Another vulnerability, CVE-2022-29831 and rating 7.5 out of 10 on the CVSS scale: 7.5. This gap in protection can be used by a hacker that already has access to the PLC project file that ensures security when working on the machine. Using a rigidly encoded password, cybercupress can gain direct access to the Safety PLC CPU and disrupt industrial processes.