(I)IoT Security News
ICS, Industrial IoT (IIoT), IoT Security

Mitsubishi Electric MELSOFT iQ AppPortal

1. EXECUTIVE SUMMARY

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow a malicious attacker to make unidentified impacts such as authentication bypass, information disclosure, denial-of-service, or bypass IP address authentication. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Mitsubishi Electric products and versions are affected: 

3.2 VULNERABILITY OVERVIEW

3.2.1 INCONSISTENT INTERPRETATION OF HTTP REQUESTS (‘HTTP REQUEST/RESPONSE SMUGGLING’) CWE-444 

MELSOFT iQ AppPortal: v1.00A to 1.29F contains a flaw that could result in unidentified impacts such as authentication bypass, information disclosure, or a denial-of-service condition in Apache HTTP Server used by VisualSVN Server. 

CVE-2022-26377 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). 

3.2.2 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345 

MELSOFT iQ AppPortal: v1.00A to 1.29F contains a flaw that could result in IP address authentication bypass in the Apache HTTP Server used by VisualSVN Server. 

CVE-2022-31813 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). 

3.3 BACKGROUND

3.4 RESEARCHER

Mitsubishi Electric reported these vulnerabilities to CISA. 

4. MITIGATIONS

Mitsubishi Electric recommends downloading and applying update version 1.32J or later software. 

Mitsubishi Electric recommends users apply the following workarounds or mitigation measures to minimize the risk: 

Users should contact Mitsubishi Electric for assistance, if needed. 

For specific update instructions and additional details see the Mitsubishi Electric advisory.  

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Source:
https://www.cisa.gov/uscert/ics/advisories/icsa-23-052-01

Related posts

Fresenius Kabi Agilia Connect Infusion System

(I) IoT
3 years ago

BD Alaris PCU (Update A)

(I) IoT
4 years ago

Rockwell Automation ISaGRAF5 Runtime (Update A)

(I) IoT
3 years ago
Exit mobile version