Third Party Vulnerability Hits Mitsubishi

Wednesday, November 9, 2011 @ 12:11 PM gHale


The buffer overflow affecting Mitsubishi MX4 Supervisory Control and Data Acquisition (SCADA) product is really a version of CitectSCADA, a product offered by Schneider Electric.

A buffer overflow vulnerability resides in a third-party component used by the CitectSCADA and MX4 SCADA Batch products, according to ICS-CERT. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code.

RELATED STORIES
Remote Procedure Call Vulnerability
SCADA/HMI ActiveX Hole Found
GE Works to Fix Vulnerabilities
Device Driver Vulnerability Found

Researcher Kuang-Chun Hung of Taiwan’s Information and Communication Security Technology Center (ICST) found the vulnerability. ICS-CERT coordinated the researcher’s vulnerability report with Schneider Electric, which issued a patch. The researcher confirmed the patch works and Schneider Electric has provided the patch to Mitsubishi for distribution to MX4 SCADA customers.

The following products suffer from the vulnerability:
• CitectSCADA V7.10 and prior using the CitectSCADA Batch Server module.
• Mitsubishi MX4 SCADA V7.10 and prior using the MX4 SCADA Batch module.

CitectSCADA is a human-machine interface (HMI) product offered by Schneider Electric. MX4 SCADA is a product offered by Mitsubishi.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on a system running an affected version of these products. This vulnerability is not remotely exploitable. However, an attacker with a low skill level could exploit this vulnerability.

A buffer overflow vulnerability exists in a third-party component used by the CitectSCADA and MX4 SCADA Batch products. This vulnerability results from an overly long user input string sent to the server during the normal logon sequence. This overly long input string can allow successful exploitation of this vulnerability and can allow execution of arbitrary code.

Schneider Electric has released a notification about this vulnerability on its website.

Customers actively using the CitectSCADA Batch product should contact Schneider for details on how to migrate to the new Batch platform. Click here for the BatchUninstaller.

Customers who run V5.50, V6.00, V6.10, V7.00, or V7.10 of CitectSCADA, but DO NOT use the Batch product

Schneider Electric recommends these customers run the CitectSCADA Batch Uninstaller to uninstall the Batch component, therefore eliminating the risk. Click here for the CitectSCADA Batch Uninstaller.

Mitsubishi Electric Europe B.V. is contacting customers who have purchased an MX4 BATCH license and will work with the customer and Schneider Electric to ensure they are not at risk from this vulnerability.

Mitsubishi Electric Europe B.V. has released a notification about this vulnerability on its website.

Mitsubishi recommends users who may have installed the MX4SCADA but are not using the MX4Batch engine (CitectSCADA Batch engine) to remove this module by using the uninstaller provided from Schneider Electric.

Customers using MX4 Batch should contact their local Mitsubishi Electric Europe B.V. representative to discuss upgrading to a new version of the Batch platform or alternatively moving to a non-PC-based batch system such as Mitsubishi Electric Europe B.V.’s C Batch. Contact Mitsubishi Electric at fa-psn@mitsubishi-automation.com for further assistance.



Leave a Reply

You must be logged in to post a comment.