Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric Products (Update C)

Risk Summary

Successful exploitation of these vulnerabilities could allow a local attacker to execute an arbitrary code by storing a specially crafted DLL in a specific folder or tampering with a specially crafted DLL. This could lead to disclose information in the affected products, tamper with, destroy or delete information in the affected products, or cause a denial of service (DoS) condition on the products.

CVEs (3)

Remediations

• For GENESIS64, ICONICS Suite, and Hyper Historian users who do not need to use the Phone agent, download and install Version 10.98 or later from the link (https://iconicsinc.my.site.com/community/s/resource-center/product-downloads?tabset-a9d51=51905).
• For GENESIS64, ICONICS Suite, and Hyper Historian users who need to use the Phone agent and are using a Dialogic telephony board, install the driver provided by Dialogic. For GENESIS64 and ICONICS Suite users who need to use the Phone agent and are using a non-Dialogic telephony board, there are no plans to release a fixed version for the Phone agent. If you do not need to use the multi-agent notification feature, uninstall it. The multi-agent notification feature is not included in the default installation of GENESIS64 and ICONICS Suite version 10.97.3 or later. For users who need to use the multi-agent notification feature, and do not need to use the Phone agent, execute a custom installation of the multi-agent notification feature and skip the installation of the Phone agent.
• There are no plans to release fixed versions for MC Works64 and GENESIS32. If you do not need to use the multi-agent notification feature, uninstall it. The multi-agent notification feature is not included in the default installation of GENESIS64 and ICONICS Suite version 10.97.3 or later. For users who need to use the multi-agent notification feature, and do not need to use the Phone agent, execute a custom installation of the multi-agent notification feature and skip the installation of the Phone agent.
• For users who do not need to use the multi-agent notification feature, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend uninstalling it, to avoid the risk of exploiting this vulnerability. The multi-agent notification feature is not included in the default installation of GENESIS64 and ICONICS Suite version 10.97.3 or later.
• For users who need to use the multi-agent notification feature, and do not need to use the Phone agent, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend executing a custom installation of the multi-agent notification feature and skipping the installation of the Phone agent, to avoid the risk of exploiting this vulnerability.
• For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend using PCs with the affected product installed in the LAN and blocking remote login from untrusted networks, hosts, and users, to minimize the risk of exploiting this vulnerability.
• For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend preventing unauthorized access by using a firewall or virtual private network (VPN), etc., and allowing remote login only to trusted users when connecting a PC with the affected product installed to the Internet, to minimize the risk of exploiting this vulnerability.
• For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends restricting physical access to the PC on which the affected product is installed and the network to which the PC is connected, to minimize the risk of exploiting this vulnerability.
• For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend preventing the user from clicking on web links in emails from untrusted sources, or from opening attachments in untrusted emails, to minimize the risk of exploiting this vulnerability.
• Additional information and useful links are found on Mitsubishi Electric's security advisory at "https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2024-010_en.pdf".
• Additional information and useful links are found on the ICONICS GENESIS64 security updates page at "https://iconics.com/en-us/about/security/cert".
• For users using GENESIS64 and ICONICS Suite Version 10.97.2 series, download and install "10.97.2 Critical Fixes Rollup 3" (https://iconicsinc.my.site.com/community/s/software-update/a355a000003g4Q5AAI/10972-critical-fixes-rollup-3).
• For users using GENESIS64 and ICONICS Suite Version 10.97.3 series, download and install "10.97.3 Critical Fixes Rollup 2" (https://iconicsinc.my.site.com/community/s/software-update/a35QQ000000y2oXYAQ/10973-critical-fixes-rollup-2).
• For users of products who cannot immediately update the product, prevent the affected products from being installed in non-default, unprotected folders, to avoid the risk of exploiting this vulnerability.
• For users of products who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend using PCs with the affected product installed in the LAN and blocking remote login from untrusted networks, hosts, and users, to minimize the risk of exploiting this vulnerability.
• For users of products who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend preventing unauthorized access by using a firewall or virtual private network (VPN), etc., and allowing remote login only to trusted users when connecting a PC with the affected product installed to the Internet, to minimize the risk of exploiting this vulnerability.
• For users of products who cannot immediately update the product, Mitsubishi Electric recommends restricting physical access to the PC on which the affected product is installed and the network to which the PC is connected, to minimize the risk of exploiting this vulnerability.
• For users of products who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend preventing the user from clicking on web links in emails from untrusted sources, or from opening attachments in untrusted emails, to minimize the risk of exploiting this vulnerability.
• Additional information and useful links are found on the ICONICS GENESIS64 security updates page at "https://iconics.com/en-us/About/Security/CERT".
• For GENESIS64 and ICONICS Suite users who do not need to use the Fax agent, download and install Version 10.98 or later from the link (https://iconicsinc.my.site.com/community/s/resource-center/product-downloads?tabset-a9d51=51905).
• For GENESIS64 and ICONICS Suite users who need to use the Fax agent, there are no plans to release a fixed version for the Fax agent. If you do not need to use the multi-agent notification feature, please uninstall it. The multi-agent notification feature is not included in the default installation of GENESIS64 and ICONICS Suite version 10.97.3 or later. For users who need to use the multi-agent notification feature, and do not need to use the FAX agent, execute a custom installation of the multi-agent notification feature and skip the installation of the FAX agent. If you install the FAX Agent, activate "Windows Fax and Scan" feature in Microsoft Windows. The steps for enabling the "Windows Fax and Scan" feature can vary depending on Microsoft Windows version, so check the Microsoft site for more information.
• There are no plans to release fixed versions for MC Works64 and GENESIS32. If you do not need to use the multi-agent notification feature, please uninstall it. The multi-agent notification feature is not included in the default installation of GENESIS64 and ICONICS Suite version 10.97.3 or later. For users who need to use the multi-agent notification feature, and do not need to use the FAX agent, execute a custom installation of the multi-agent notification feature and skip the installation of the FAX agent. If you install the FAX Agent, activate "Windows Fax and Scan" feature in Microsoft Windows. The steps for enabling the "Windows Fax and Scan" feature can vary depending on Microsoft Windows version, so check the Microsoft site for more information.
• For users who need to use the multi-agent notification feature, and do not need to use the FAX agent, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend executing a custom installation of the multi-agent notification feature and skipping the installation of the FAX agent, to avoid the risk of exploiting this vulnerability.
• For users who install the FAX Agent, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend activating "Windows Fax and Scan" feature in Microsoft Windows?, to avoid the risk of exploiting this vulnerability. The steps for enabling the "Windows Fax and Scan" feature can vary depending on Microsoft Windows? version, so check the Microsoft site for more information.

Affected Vendors

Affected Products (13)

Affected Sectors

Critical Manufacturing