Re: CVE-2015-3938 Remote Permanent LoV (Loss of View) in Mitsubishi Melsec FX3G-24M PLC

[Ralf Spenneberg <ralf () os-t de>]

The ICS-CERT will shortly publish an advisory on its own: ICSA-15-146-01
It  has calculated the CVSS-Score to be 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C)

We have updated the CVSS Score in our advisory on 
http://www.os-s.net/advisories/mitsubishi_fx3ge_parameter_error-engl.pdf

Ralf Spenneberg

Am Dienstag, 29. September 2015, 12:30:35 schrieb Ralf Spenneberg:
> OS-S Security Advisory 2015-03
>
> Date:     September 29th, 2015
> CVE:      CVE-2015-3938
> CVSS:     5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
>
> Title:    Mitsubishi ICS FX3G-24M Permanent Communication Denial of Service
>
> Severity: Critical.
>           The TCP/IP communication of the Mitsubishi Melsec FX3G-24 is
>           permanently disrupted.
>
> Ease of Exploitation: Trivial
>
> Vulnerability type: Wrong input validation (buffer overflow?)
>
> Products: Mitsubishi Melsec FX3G-24M
>
> Abstract
> The Mitsubishi Melsec FX3G-24M is a highly integrated Industrial Control
> System (ICS). Many functions of the ICS may be controlled via the built-in
> HTTP-Server. By using specially crafted HTTP-messages all Ethernet based
> communication may be permanently disrupted. This permanent denial of Service
> can only be corrected via a cold restart of the ICS.
> Detailed product description
> We confirmed the bug on the following system:
> FX3G-24M
> CPU-Version: 2.10
> FX3U-ENET-ADP Version: 1.20
> Further products or firmware versions have not been tested
>
> Description
> The built-in HTTP application is unable to handle parameters with a length
> of 100 bytes or more. This is true for all tested URLs but /fx_devmon.html.
> Even parameters not used by the web applications trigger the DoS bug. This
> security weakness can be exploited using both POST and GET HTTP requests.
> As soon as any parameter with a length of at least 100 characters is
> transmitted all Ethernet/IP/TCP communication is permanently halted. A
> connected HMI looses its connection, the HTTP server is not available any
> more and the System does not respond to ICMP ping requests or ARP requests.
> The ICS has to undergo a cold restart be interrupting the power supply. The
> PLC still continues to execute the internal logic program. Only the
> Ethernet based communication is disrupted.
>
> Proof of Concept
> The following command (all on one line) crafts an GET request and sends it
> to the PLC running on the IP address 192.168.155.80:
> python -c "print 'GET /index.html?'+'A'*100 +' \ HTTP/1.1\r\n\r\n'" | nc
> 192.168.155.80 80
>
> As soon as the command returns the communication is disrupted.
>
> Severity and Ease of Exploitation
> The security weakness can be easily exploited. No special tools are
> necessary. The Exploit neither requires physical access to the ICS nor does
> it require direct access to the ICS network. The exploit can be executed
> across routers and if the ICS is connected to the internet across the
> Internet. The HTTP- request is a normal and valid request and will not be
> detected or prevented by Firewalls or Intrusion Prevention Systems.
> The disruption of the Ethernet based communication will cause a permanent
> loss of view on any connected HMIs and will prevent the communication of
> the ICS with other ICS systems via Ethernet.
>
> Vendor Communication
> We unsuccessfully tried to contact the vendor for several month. We could
> not find a security contact responsible for these products. On December 4th
> 2014 we contacted the ICS-CERT. The ICS-CERT contacted Mitsubishi.
> Mitsubishi released a new firmware in April 2015. The new firmware will
> only be available in all controllers shipped starting April 2015. Older
> controllers will not receive the firmware update.
>
> Formatted PDF: