Due to several significant factors, there are a limited number of automobile manufacturers. The infrastructure expenses alone are massive and limits the scape of potential persons and organizations financially able to be involved.
Mitsubishi is Japan-based, is one of these manufacturers. As with most of the organizations, there are separate organizations under the general corporate envelope. For Mitsubishi, one of these is Mitsubishi Electric.
FR Configurator 2 Inverter Engineering Software
The subject issue is with the FR Configurator 2 inverter software. This affects version 1.165 and 1.10L and prior for SW1DND-FRCZ-E or -J. This works to permit the user to set-up, program, configure, and monitor the drives. This software runs on all versions of MS Windows. This is used throughout the world.
With this software tool, there are three significant vulnerabilities. The first isa high severity issue with a CVSSv3 score of 8.8. This is associated with the XML external entity (XXE) processing. This works by exploiting the DTD parameter. When this vulnerability is exploited, the attacker is able to read and exfiltrate files located on the targeted system. To execute this, the user has to only open a malicious files. As a bonus, this may in certain instances allow the attacker to execute their malicious code on the target system. This has been labelled as ICSA-10-204-01 and CVE-2019-10976.
The second vulnerability permits the attacker to force the software from responding. This operates much like a DoS attack, aka CPU exhaustion. The only way to resolve this is to do a hard restart. This vulnerability is labelled as ICSA-19-204-01 and CVE-2019-10972. This vulnerability has been rated as the medium severity issue with a CVSSv3 score of 5.5. This is exploited also by having the user open a malicious file. The first and second vulnerabilities both require social engineering and a phishing attempt. The end goal is to have the user open the email and attachment.
The third and last vulnerability rated as a high severity, under CVSSv3 score of 8.2. With this issue, the problem is with the binary’s read, write, and execute rights. This allows for privilege escalation. When exploited, this allows an account with lower level privileges, such as a guest account, to increase their rights, and may execute malicious files.
These vulnerabilities were relatively significant. These could allow the successful attackers to effectively shut down a system, exfiltrate data, and elevate privileges. Mitsubishi Electric advised the users not to open files from sources unknown or untrusted to the user. When the user receives an email which is unsolicited, the user should not click on links or attachments.
Cyware. (2019, July 24). Vulnerabilities found in mitsubishi inverter engineering software. Retrieved from https://cyware.com/news/vulnerabilities-found-in-mitsubishi-inverter-engineering-software-fe6610d7
ISS Source. (2019, July 23). Mitsubishi fixes FR configurator 2 holes. Retrieved from https://isssource.com/mitsubishi-fixes-fr-configurator-2-holes/
Kovacs, E. (2019, July 24). Vulnerabilities found in mitsubishi inverter engineering software. Retrieved from https://www.securityweek.com/vulnerabilities-found-mitsubishi-invertr-engineering-software
Mitsubishi Electronic. (2019, July 23). XML vulnerability in FR configurator 2. Retrieved from https://www.mitsubishielectric.com/fa/download/software/drv/inv/vulnerability-protection/2019-001.pdf
Mitsubishi Electric. (2019, July 24). AUSCERT external security bulletin redistribution.
US-Cert. (2019, July 23). ICS advisory (ICSA-19-204-01). Retrieved from https://www.us-cert.gov/ics/advisories/icsa-19-204-01
Westenberg, T. (2019, July 24). AR 2019011: Mitsubishi electric FR configurator 2 multiple vulnerabilities.
Zurkus, K. (2019, May 22). Firmware vulnerability in mitsubishi electric. Retrieved from https://www.infosecurity-magazine.com/news/firmware-vulnerability-in-1/
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!