At the Pwn2Own Miami hacking competition concentrating on industrial control systems ( ICS), Mitsubishi Electric and its subsidiary ICONICS have released patches for the vulnerabilities revealed earlier this year.
White hat hackers earned a total of $280,000 for the exploits they demonstrated in January’s Pwn2Own contest at the Zero Day Initiative, including $80,000 for vulnerabilities found in the Genesis64 HMI / SCADA product from ICONICS.
The researchers who successfully hacked the ICONICS product were Flashback team’s Pedro Ribeiro and Radek Domanski; Horst Goertz Institute for IT-Security ‘s Tobias Scharnowski, Niklas Breitfeld, and Ali Abbasi; Yehuda Anikster of Claroty; and Incite team’s Steven Seeley and Chris Anastasio.
They reported to ICONICS five critical and high-severity vulnerabilities, including those that allow a remote attacker to execute arbitrary code and to launch denial-of – service (DoS ) attacks by sending specially crafted packets to the targeted system. One vulnerability could allow the execution of arbitrary SQL commands by an attacker.
Genesis64, Hyper Historian, AnalytiX, MobileHMI, Genesis32 and BizViz have flaws. Mitsubishi’s MC Works64 and MC Works32 SCADA applications have also been found to have the same vulnerabilities. The U.S. has published separate advisories for the affected products ICONICS and Mitsubishi. Security Agency for Cybersecurity and Infrastructure (CISA), and vendors.
ZDI has told SecurityWeek that advisories for the ICONICS vulnerabilities exposed at Pwn2Own Miami will be released soon.
Claroty, an industrial cybersecurity firm, discovered CVE-2020-12015, a bug to deserialize that can be exploited for DoS attacks. This was one of five bugs that the team at Pwn2Own demonstrated — the other flaws affected products from various vendors.
“The ICONICS Genesis64 program is a human-machine interface (HMI) service that enables several different ‘shop floor’ devices to be connected and monitored. This system can be used to track and manage physical processes in various verticals of the automation world. This means that disabling the process through a DoS attack will destroy the ability to control the process and cause it to be shut down,” Nadav said.
“A Remote Code Execution (RCE) attack on such a service might allow the attacker to change the values controlled by the engineer, thus also jeopardizing the security of the operation. No authentication was needed for all reported vulnerabilities, so an attacker with network access could exploit them and attack the service,” Erez clarified.