Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric Products (Update D)

Risk Summary

Successful exploitation of these vulnerabilities could result in denial-of-service, improper privilege management, or potentially arbitrary code execution.

CVEs (5)

Remediations

• Mitsubishi Electric Iconics Digital Solutions is releasing fixed version 10.97.3 or later for GENESIS64, ICONICS Suite, Hyper Historian, AnaltitiX, and MobileHMI. Download the fixed version from the link "https://iconicsinc.my.site.com/community/s/iconics-software/ICONICS_Software__c/00BQQ000008P51V2AS?ICONICS_Software__c-filterId=Product_Version_10_97_3" and install it. For more information, refer to the Mitsubishi Electric Iconics Digital Solutions whitepaper on security vulnerabilities. The latest white papers can be found at "https://iconics.com/About/Security/CERT".
• Mitsubishi Electric is releasing fixed version 10.97.3 or later for GENESIS64, ICONICS Suite, Hyper Historian, AnaltitiX, and MobileHMI. Download the fixed version from the link "https://iconicsinc.my.site.com/community/s/iconics-software/ICONICS_Software__c/00BQQ000008P51V2AS?ICONICS_Software__c-filterId=Product_Version_10_97_3" and install it. For more information on the fixed version, refer to the Mitsubishi Electric security advisory at "https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2024-004_en.pdf".
• For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend locating control system networks and devices behind firewalls and isolating them from untrusted networks and hosts, to minimize the risk of exploiting this vulnerability.
• For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend restricting physical access to the personal computer where the product is installed and the network to which the personal computer is connected to prevent unauthorized contact, to minimize the risk of exploiting this vulnerability.
• For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend preventing the user from clicking on web links in e-mails or other messages from untrusted sources, or from opening attachments in untrusted e-mails, to minimize the risk of exploiting this vulnerability.
• For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend disabling the BACnet Secure Connect feature if it is enabled. Note that this function is installed on GENESIS64 and ICONICS Suite as the beta version and it is disabled by the default configuration. Refer to ICONICS Product Help (https://docs.iconics.com/V10.97.2/GENESIS64/Help/Apps/WBDT/BACnet_SC/Overview_of_BACnet_SC.htm) for the procedure to disable this function.
• For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend preventing importing certificates from untrusted sources, to minimize the risk of exploiting this vulnerability.
• Mitsubishi Electric Iconics Digital Solutions is releasing fixed version 10.97.3 or later for GENESIS64, ICONICS Suite, Hyper Historian, AnaltitiX, and MobileHMI. Download the fixed version from the link "https://iconicsinc.my.site.com/community/s/iconics-software/ICONICS_Software__c/00BQQ000008P51V2AS?ICONICS_Software__c-filterId=Product_Version_10_97_3". For more information, refer to the Mitsubishi Electric Iconics Digital Solutions whitepaper on security vulnerabilities. The latest white papers can be found at "https://iconics.com/About/Security/CERT".
• Mitsubishi Electric is releasing fixed version 10.97.3 or later for GENESIS64, ICONICS Suite, Hyper Historian, AnaltitiX, and MobileHMI. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/iconics-software/ICONICS_Software__c/00BQQ000008P51V2AS?ICONICS_Software__c-filterId=Product_Version_10_97_3". For more information on the fixed version, refer to the Mitsubishi Electric security advisory at "https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2024-004_en.pdf".
• For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend disabling the BACnet Secure Connect feature if it is enabled. Note that this function is installed on the affected products as the beta version and it is disabled by the default configuration. Refer to ICONICS Product Help (https://docs.iconics.com/V10.97.2/GENESIS64/Help/Apps/WBDT/BACnet_SC/Overview_of_BACnet_SC.htm) for the procedure to disable this function.
• For Mitsubishi Electric Iconics Digital Solutions GENESIS64, ICONICS Suite, and Hyper Historian users who do not need to use the Pager agent, download the fixed version 10.98 of later from the link "https://iconicsinc.my.site.com/community/s/resource-center/product-downloads?tabset-a9d51=51905" and install it. For more information, refer to the Mitsubishi Electric Iconics Digital Solutions whitepaper on security vulnerabilities. The latest white papers can be found at "https://iconics.com/About/Security/CERT".
• For Mitsubishi Electric GENESIS64, ICONICS Suite, and Hyper Historian users who do not need to use the Pager agent, download the fixed version 10.98 of later from the link "https://iconicsinc.my.site.com/community/s/resource-center/product-downloads?tabset-a9d51=51905" and install it. For more information on the fixed version, refer to the Mitsubishi Electric security advisory at "https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2024-004_en.pdf".
• For Mitsubishi Electric Iconics Digital Solutions GENESIS64, ICONICS Suite, and Hyper Historian users who need to use the Pager agent: The affected feature, the multi-agent notification feature, is no longer the part of the default installation for GENESIS64 and ICONICS Suite Version 10.97.3 and later. Do not custom install this feature unless you specifically need it. For GENESIS32 and MC Works64, do not install the multi-agent notification feature.
• For Mitsubishi Electric GENESIS64, ICONICS Suite, and Hyper Historian users who need to use the Pager agent: The affected feature, the multi-agent notification feature, is no longer the part of the default installation for GENESIS64 and ICONICS Suite Version 10.97.3 and later. Do not custom install this feature unless you specifically need it. For GENESIS32 and MC Works64, do not install the multi-agent notification feature.
• There are no plans to release a security update for Mitsubishi Electric Iconics Digital Solutions GENESIS32. The affected feature, the multi-agent notification feature, is no longer the part of the default installation for GENESIS64 and ICONICS Suite Version 10.97.3 and later. Do not custom install this feature unless you specifically need it. For GENESIS32 and MC Works64, do not install the multi-agent notification feature.
• There are no plans to release a security update for Mitsubishi Electric GENESIS32 and MC Works64. In the security settings, ensure that at least one of the following four conditions is not met. Active Directory is used in the security setting. “Automatic log in” option is enabled in the security setting. The IcoAnyGlass IIS application pool is running under an Active Directory Domain Account. The IcoAnyGlass IIS Application Pool account is included in GENESIS64, ICONICS Suite and MC Works64 Security and has permission to log in.
• For users of products that do not have a fixed version, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend locating control system networks and devices behind firewalls and isolating them from untrusted networks and hosts, to minimize the risk of exploiting this vulnerability.
• For users of products that do not have a fixed version, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend restricting physical access to the personal computer where the product is installed and the network to which the personal computer is connected to prevent unauthorized contact, to minimize the risk of exploiting this vulnerability.
• For users of products that do not have a fixed version, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend preventing the user from clicking on web links in e-mails or other messages from untrusted sources, or from opening attachments in untrusted e-mails, to minimize the risk of exploiting this vulnerability.
• For users of GENESIS64, ICONICS Suite, and Hyper Historian that do not have a fixed version, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend preventing from custom installing this feature unless you specifically need it. The affected feature, the multi-agent notification feature, is no longer the part of the default installation for GENESIS64, ICONICS Suite, and Hyper Historian Version 10.97.3 and later. For users of GENESIS32 and MC Works64 that do not have a fixed version, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend preventing the installation of the the multi-agent notification feature.
• Mitsubishi Electric Iconics Digital Solutions is releasing fixed version 10.97.3 or later for GENESIS64, ICONICS Suite, Hyper Historian, AnaltitiX, and MobileHMI. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/iconics-software/ICONICS_Software__c/00BQQ000008P51V2AS?ICONICS_Software__c-filterId=Product_Version_10_97_3". For more information, refer to the Mitsubishi Electric Iconics Digital Solutions whitepaper on security vulnerabilities. The latest white papers can be found at "https://iconics.com/About/Security/CERT".
• Mitsubishi Electric Iconics Digital Solutions is releasing fixed version 10.97.3 or later for IoTWorX. Download the fixed version from the link "https://iconicsinc.my.site.com/community/s/iconics-software/a375a000004qDU8AAM/iotworx". For more information, refer to the Mitsubishi Electric Iconics Digital Solutions whitepaper on security vulnerabilities. The latest white papers can be found at "https://iconics.com/About/Security/CERT".
• Mitsubishi Electric is releasing fixed version 10.97.3 or later for IoTWorX. Download the fixed version from the link "https://iconicsinc.my.site.com/community/s/iconics-software/a375a000004qDU8AAM/iotworx". For more information on the fixed version, refer to the Mitsubishi Electric security advisory at "https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2024-004_en.pdf".
• There are no plans to release a security update for Mitsubishi Electric MC Works64. In the security settings of MC Works64, ensure that at least one of the following four conditions is not met: Active Directory is used in the security setting. “Automatic log in” option is enabled in the security setting. The IcoAnyGlass IIS application pool is running under an Active Directory Domain Account. The IcoAnyGlass IIS Application Pool account is included in GENESIS64, ICONICS Suite and MC Works64 Security and has permission to log in.
• For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend locating control system networks and devices behind firewalls and isolate them from untrusted networks and hosts, to minimize the risk of exploiting this vulnerability.
• For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend ensuring that at least one of the following four conditions in the security settings of GENESIS64, ICONICS Suite and MC Works64 is not met. (1) Active Directory is used in the security setting. (2) "Automatic log in"option is enabled in the security setting (3) The IcoAnyGlass IIS application pool is running under an Active Directory Domain Account. (4) The IcoAnyGlass IIS Application Pool account is included in GENESIS64, ICONICS Suite and MC Works64 Security and has permission to log in.
• Mitsubishi Electric is releasing fixed version 10.97.3 or later for GENESIS64, ICONICS Suite, Hyper Historian, AnaltitiX, and MobileHMI. Download the fixed version from the link "https://iconicsinc.my.site.com/community/s/iconics-software/ICONICS_Software__c/00BQQ000008P51V2AS?ICONICS_Software__c-filterId=Product_Version_10_97_3". For more information on the fixed version, refer to the Mitsubishi Electric security advisory at "https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2024-004_en.pdf".
• For users of Mitsubishi Electric Iconics Digital Solutions GENESIS32 and BizViz: Locate control system networks and devices behind firewalls and isolate them from untrusted networks and hosts. Restrict physical access to the personal computer where the product is installed and the network to which the personal computer is connected to prevent unauthorized contact. Do not click on web links in emails from untrusted sources. Also, do not open attachments in untrusted emails.
• For users of Mitsubishi Electric GENESIS32, BizViz, and MC Works64: Locate control system networks and devices behind firewalls and isolate them from untrusted networks and hosts. Restrict physical access to the personal computer where the product is installed and the network to which the personal computer is connected to prevent unauthorized contact. Do not click on web links in emails from untrusted sources. Also, do not open attachments in untrusted emails.

Affected Vendors

Affected Products (33)

Affected Sectors

Critical Manufacturing