Mitsubishi Electric has recently patched critical and high-severity vulnerabilities affecting its internet-connected air conditioning products.
These issues were disclosed by the US’s cybersecurity agency (CISA) and Mitsubishi Electric in an advisory.
The issue CVE-2021-20595 has a CVSS score of 9.3 and is caused by an external entity injection attack that can be exploited to cause arbitrary code execution in control systems. To mitigate it, Mitsubishi Electric has released several patches for AC controllers.
The vulnerability can lead to remote code execution, compromise of data, and a denial of service attack. As Howard McGreehan, a cybersecurity researcher at UK-based professional services firm Aon, who discovered the issue in the advisory, explains:
“This vulnerability can be triggered by sending an XXE payload to the process listening to the TCP port number 1025, which causes the application to make arbitrary HTTP and/or FTP requests. Exploiting this vulnerability may lead to information disclosure and/or denial of service on the affected system models and firmware versions,” explained McGreehan.
Brian McGreehan said that an exploitable XXE vulnerability in controllers is an easy, standard XXE that could allow an attacker to cause them to crash.
The second vulnerability in our list, tracked as CVE-2021-20593 with high severity, was discovered by Chizuri Toyama of TXOne IoT/ICS Security Research Labs and reported to the vendor through the Trend Micro’s Zero Day Initiative (ZDI).
Toyama explained that an authenticated attacker could cause a system to crash due to a flaw in an authentication algorithm.
“This vulnerability allows a low privileged user (public user) to access an administrator page of MITSUBISHI Central Controller EW-50A or AE-200A Web Browser Interface. It requires the ability to login as a low privileged user,” said Dustin Childs, communications manager at ZDI. Childs said an attacker could gain escalated privileges and therefore, total control over the system.
Both Childs and McGreehan said that it’s possible that some of the affected controllers were accessible by attackers directly to the Internet.
“You can usually interact with these controllers from anywhere on the LAN unless the network is segmented, and it’s certainly possible some could be exposed to the internet,” McGreehan said.
Mitsubishi Electric has released a slew of patches to address the vulnerabilities that have been spotted in its connected controllers. Aside from addressing the issues, the company also provided additional mitigations and instructions for checking a device’s version number to see if it’s vulnerable.