Mitsubishi Fixes ActiveX Control

Friday, February 21, 2014 @ 01:02 PM gHale

Mitsubishi Electric Automation, Inc. created a patch for an insecure ActiveX control vulnerability in MC-WorX, according to a report on ICS-CERT.

An anonymous researcher that goes by the moniker “Blake” identified the vulnerability and published proof-of-concept (PoC) code, without coordination with ICS-CERT, the vendor, or any other coordinating entity. This vulnerability could be exploitable remotely, but requires user interaction. Exploits that target this vulnerability are publicly available.

ICONICS Patches ActiveX Control Bug
MatrikonOPC Patches Vulnerability
Siemens Fixes SIMATIC Vulnerabilities
RSLogix 5000 Password Hole Fixed

The following Mitsubishi Electric Automation, Inc product suffers from the issue: MC-WorX Suite Version 8.02. The currently available version of this product is MC-WorX v9.22 released in 2011 is not vulnerable to this vulnerability.

An attacker crafting a script could assign arbitrary code to the Login Client button. Using social engineering to get the victim to click the Login Client button, arbitrary malicious code could launch from a remote share.

Mitsubishi Electric Automation, Inc, located in Vernon Hills, IL, is the primary location of the MC-WorX software product.

MC-WorX Suite Version 8.02 is sees use across several sectors including commercial facilities, critical manufacturing, energy, and water and wastewater systems in the United States.

The insecure ActiveX control is in the IcoLaunch.dll file. An attacker can fashion a script to launch any arbitrary executable code when the user clicks on the Login Client button, without any authentication or permission elevation. The attacker would need to employ social engineering to get the user to click the altered Login Client button to launch the loaded executable.

CVE-2013-2817 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.

An attacker with a moderate skill would be able to exploit this vulnerability.

Mitsubishi Electric Automation, Inc has published a patch resolving this vulnerability available.

Leave a Reply

You must be logged in to post a comment.