Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric HMI SCADA (Update B)

Risk Summary

Successful exploitation of these vulnerabilities could result in unauthorized access to information or to GENESIS64 and MC Works64 functionality, or the disabling of SQL Server in GENESIS64, ICONICS Suite, MC Works64, or GENESIS32.

CVEs (4)

Remediations

• Mitsubishi Electric Iconics Digital Solutions is releasing security updates for the affected products as critical fixes/rollup releases. For more information on the security updates, refer to the Mitsubishi Electric Iconics Digital Solutions whitepaper on security vulnerabilities, the most recent version of which can be found here. https://iconics.com/About/Security/CERT
• Mitsubishi Electric is releasing security updates for the affected products as critical fixes/rollup releases. For more information on the security updates, refer to the Mitsubishi Electric security advisory, the most recent version of which can be found here. https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2021-025_en.pdf
• For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend locating control system networks and remote devices behind firewalls and isolating them from the business network, to minimize the risk of exploiting this vulnerability.
• For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend restricting the connection of all control system devices and systems to the network so that they can only be accessed from trusted networks and hosts, to minimize the risk of exploiting this vulnerability.
• Mitsubishi Electric is releasing security updates for the affected products as critical fixes/rollup releases. For more information on the security updates, refer to the Mitsubishi Electric security advisory, the most recent version of which can be found here. https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2021-026_en.pdf
• For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend switching the communication method of FrameWorX server from WebSocket communication to WCF communication and setting "WebSocketTransport" element to "false" in "FwxServer.Network.config" file located in the installation folder of the products, to minimize the risk of exploiting this vulnerability.
• Mitsubishi Electric is releasing security updates for the affected products as critical fixes/rollup releases. For more information on the security updates, refer to the Mitsubishi Electric security advisory, the most recent version of which can be found here. https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2021-027_en.pdf
• For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend deleting the authentication information (password) of the SQL database in the CSV file, after exporting the configuration information of GridWorX to the CSV file, to minimize the risk of exploiting this vulnerability.
• For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend deleting the authentication information (password) of the SQL database, before exporting the configuration information of GridWorX to the CSV file, to minimize the risk of exploiting this vulnerability.
• For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend changing the configuration of the security function so that users other than administrator is not authorized to export the configuration information of GridWorX to a CSV file, to minimize the risk of exploiting this vulnerability.
• Mitsubishi Electric is releasing security updates for the affected products as critical fixes/rollup releases. For more information on the security updates, refer to the Mitsubishi Electric security advisory, the most recent version of which can be found here. https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2021-028_en.pdf
• There are no plans to release a security update for GENESIS32. To minimize the risk of exploitation of this vulnerability, please consider replacing to GENESIS64 or ICONICS Suite.
• For customers who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend avoiding clicking on web links in emails etc. from untrusted sources, and avoiding opening files attached to untrusted emails, to minimize the risk of exploiting this vulnerability.

Affected Vendors

Affected Products (29)

Affected Sectors

Critical Manufacturing