Cybersecurity, PLCs and DoS
Mitsubishi Electric (ME) manufactures various products through their lines. One of these is the programmable logic controller (PLC). PLCs are not singularly used in one industry or another. These have many uses across many industries. The units are used across the world, in Mitsubishi Electric’s case, in manufacturing facilities.
ME has several different PLC models manufactured and actively used. Of the many PLCs manufactured, the subject model is MELSEC-Q series QJ71E71-100 Ethernet Interface modules with serial numbers 20121 and prior were subject to the vulnerability. While this is only one model, these are placed in service in a myriad of locations.
The vulnerability has been noted with ICSA-19-141-02 and CVE-2019-10977. This has a high severity with a CVSS score of 7.5. This indicates the organizations employing this hardware should have paid strict attention to this. This issue being left open would create the potential for a significant problem. The issue involves the denial of service (DoS) attack vector. The vulnerability may be exploited remotely. This makes the vulnerability especially interesting for the organizations using this. The attack is done through sending malicious TCP packets. These are sent to the target’s FTP service. This ends up, when exploited, in placing the PLC into fault mode, which ceases its operations. The only option to correct this is to restart the PLC. While not as detrimental as other successful attacks, this shuts down the PLC and any other services or functions dependent on it.
The attacker could exploit the issue, from anywhere with a good internet connection. One saving grace with this is the PLCs are not detectable using Shodan or a like tool.
Fortunately, ME resolved the vulnerability issue with firmware update version 20122. With this downloaded and into each PLC, there could have been rather significant issues causing many headaches.
CISA. (2019, May 21). ICA advisory (ICSA-19-141-02). Retrieved from https://www.us-cert-gov/ics/advisories/ICSA-19-141-02
Kovacs, E. (2019, May 22). Flaw exposes Mitsubishi PLCs to remote DoS attacks. Retrieved from https://www.securityweek.com/flaw-exposes-mitsubishi-plcs-remote-dos-attacks
SecuriTeam. (2019, July 15). Mitsubishi electric MELSEC-Q series Ethernet module ZJ71E71-100 serial number 20121 remote code execution vulnerability. Retrieved from https://securiteam.com/securitynews/mitsubishi-electric-melser-q-series-ethernet-module-qq71e71-100-serial-number-20121-remote-code-execution-vulnerability/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.