1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Mitsubishi Electric
- Equipment: MELSOFT iQ AppPortal
- Vulnerabilities: HTTP Request Smuggling, Insufficient Verification of Data Authenticity
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow a malicious attacker to make unidentified impacts such as authentication bypass, information disclosure, denial-of-service, or bypass IP address authentication.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Mitsubishi Electric products and versions are affected:
- MELSOFT iQ AppPortal (SW1DND-IQAPL-M): v1.00A to 1.29F
3.2 VULNERABILITY OVERVIEW
3.2.1 INCONSISTENT INTERPRETATION OF HTTP REQUESTS (‘HTTP REQUEST/RESPONSE SMUGGLING’) CWE-444
MELSOFT iQ AppPortal: v1.00A to 1.29F contains a flaw that could result in unidentified impacts such as authentication bypass, information disclosure, or a denial-of-service condition in Apache HTTP Server used by VisualSVN Server.
CVE-2022-26377 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
3.2.2 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345
MELSOFT iQ AppPortal: v1.00A to 1.29F contains a flaw that could result in IP address authentication bypass in the Apache HTTP Server used by VisualSVN Server.
CVE-2022-31813 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Japan
3.4 RESEARCHER
Mitsubishi Electric reported these vulnerabilities to CISA.
4. MITIGATIONS
Mitsubishi Electric recommends downloading and applying update version 1.32J or later software.
Mitsubishi Electric recommends users apply the following workarounds or mitigation measures to minimize the risk:
- Disable mod_proxy and mod_proxy_ajp in the VisualSVN Server settings if possible.
- When a PC with the product installed needs access to the internet, use a firewall or virtual private network (VPN), etc. to prevent unauthorized access.
- Use a PC with the product installed within a local area network (LAN) and use a firewall, etc. to minimize connection to the network and restrict access only from trusted networks and hosts.
- Minimize user privilege for the product users.
- Install antivirus software on the computer where the product is used.
Users should contact Mitsubishi Electric for assistance, if needed.
For specific update instructions and additional details see the Mitsubishi Electric advisory.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Source:
https://www.cisa.gov/uscert/ics/advisories/icsa-23-052-01