Mitsubishi Electric MELSOFT iQ AppPortal
1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Mitsubishi Electric
- Equipment: MELSOFT iQ AppPortal
- Vulnerabilities: HTTP Request Smuggling, Insufficient Verification of Data Authenticity
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow a malicious attacker to make unidentified impacts such as authentication bypass, information disclosure, denial-of-service, or bypass IP address authentication.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Mitsubishi Electric products and versions are affected:
- MELSOFT iQ AppPortal (SW1DND-IQAPL-M): v1.00A to 1.29F
3.2 VULNERABILITY OVERVIEW
MELSOFT iQ AppPortal: v1.00A to 1.29F contains a flaw that could result in unidentified impacts such as authentication bypass, information disclosure, or a denial-of-service condition in Apache HTTP Server used by VisualSVN Server.
MELSOFT iQ AppPortal: v1.00A to 1.29F contains a flaw that could result in IP address authentication bypass in the Apache HTTP Server used by VisualSVN Server.
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Japan
Mitsubishi Electric reported these vulnerabilities to CISA.
Mitsubishi Electric recommends downloading and applying update version 1.32J or later software.
Mitsubishi Electric recommends users apply the following workarounds or mitigation measures to minimize the risk:
- Disable mod_proxy and mod_proxy_ajp in the VisualSVN Server settings if possible.
- When a PC with the product installed needs access to the internet, use a firewall or virtual private network (VPN), etc. to prevent unauthorized access.
- Use a PC with the product installed within a local area network (LAN) and use a firewall, etc. to minimize connection to the network and restrict access only from trusted networks and hosts.
- Minimize user privilege for the product users.
- Install antivirus software on the computer where the product is used.
Users should contact Mitsubishi Electric for assistance, if needed.
For specific update instructions and additional details see the Mitsubishi Electric advisory.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.