Today, CISA’s NCCIC-ICS published a control system security advisory for products from Mitsubishi (and ICONICS). I also take a down-the-rabbit-hole look at the ICONICS advisory for the same vulnerability.
Mitsubishi Advisory
This advisory describes an incorrect default permissions vulnerability in the Mitsubishi ICONICS Suite and MC Works64 products. The vulnerability was reported by Asher Davila and Malav Vyas of Palo Alto Networks. Mitsubishi has a new version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to result in disclosure of confidential information, data tampering, or a denial-of-service condition.
DTRH at ICONICS Suite Security Advisory
ICONICS was acquired by Mitsubishi in 2019 and all regulatory approvals were obtained for the merger of the two companies in 2023. Even so, CISA continues to treat advisories for ICONICS and Mitsubishi products as being from different organizations. And to be fair, the two organizations do take slightly different approaches to communicating security vulnerabilities.
Mitsubishi publishes individual advisories for each set of vulnerabilities discovered in their products. Those advisories are listed chronologically (including adding updates as published) on their Vulnerability Information website. The advisory that reports the same vulnerability as today’s CISA advisory can be found here.
ICONICS, on the other hand, publishes just two advisories; one for their GENESIS64 based products and the other for their GENESIS32 based products. Each advisory is updated any time a new set of vulnerabilities is reported, providing a cumulative record of vulnerabilities in the product. The GENESIS64 advisory was updated today for the vulnerability reported (starting on page 52) in this CISA advisory. While ICONICS references an ‘ICS CERT Advisory’ for each reported set of vulnerabilities they use an internally consistent format for reporting the vulnerability than does either CISA or Mitsubishi.
There is one minor problem with the ICONICS advisory, there is no date associated with the advisory beyond the ‘October 2024’. There is no documentation of the changes that have been made since the previous version, including the update for today’s CISA and Mitsubishi advisories.
Mitsubishi updated a ‘Genisis64’ advisory last week (see my post from last Sunday). According to Mitsubishi they added the acknowledgement of “Asher Davila and Malav Vyas, security researchers at Palo Alto Networks, who reported CVE2024-1182.” This information is provided in the ICONICS entry for this vulnerability (item 22, page 47), but the CISA advisory for the same vulnerability (ICSA-24-184-03) printed two days after the original ICONICS-Mitsubishi advisories notes that “Asher Davila and Malav Vyas of Palo Alto Networks reported AlarmWorX64 MMX Pager Agent vulnerability to ICONICS.” ICONICS probably did not have to update their advisory.