CVE-2024-8299 - Uncontrolled Search Path Element Vulnerability in ICONICS GENESIS64, Mitsubishi Electric GENESIS64, and Mitsubishi Electric MC Works64 - A Detailed Analysis

A recently discovered vulnerability, CVE-2024-8299, affects ICONICS GENESIS64, Mitsubishi Electric GENESIS64, and Mitsubishi Electric MC Works64 across all versions. The vulnerability is categorized as an "Uncontrolled Search Path Element" issue, allowing local authenticated attackers to execute malicious code by storing a specially crafted DLL in a specific folder. Exploiting this vulnerability could lead to information disclosure, tampering of data, destruction, or deletion of data in the affected products, and even a denial of service (DoS) condition.

In this long-read post, we will dive into the details of this vulnerability, including the code snippet, links to original references, and exploit details.

Code Snippet

The vulnerability resides within the affected software's search for a specific DLL. This can be exploited by a local authenticated attacker by placing a maliciously crafted DLL in a certain folder that the software searches when looking for it.

For instance, the software may search for a library called "example.dll" in the following directories:

C:\Windows\

An attacker could craft a malicious version of "example.dll" and place it in the above directories. When the affected software searches for this DLL, it unknowingly loads the attacker's version, executing the malicious code.

Details about CVE-2024-8299 can be found in the official National Vulnerability Database (NVD)

- CVE-2024-8299 NVD Listing

The vulnerability was reported to the respective vendors, who confirmed the issue and provided patches for the affected products:
- ICONICS Security Advisory
- Mitsubishi Electric Security Advisory

Outlined below are the steps an attacker can follow to exploit CVE-2024-8299

1. The attacker must first gain local access to the system running the vulnerable software. This could be achieved through other low-impact vulnerabilities or social engineering techniques.

2. After gaining local access, the attacker needs to create a custom, malicious version of the required DLL. This DLL should contain the code the attacker desires to execute, such as stealing credentials or exfiltrating sensitive data.

3. The attacker then locates the specific folder where the vulnerable software searches for the DLL and places the crafted DLL into that folder.

4. Once the malicious DLL is in place, the attacker waits for the software to execute. When the software searches for the required DLL, it will instead load the attacker's version and execute the malicious code.

5. The attacker now has access to perform various malicious activities, such as disclosing, tampering with, destroying, or deleting information in the affected products, or causing a denial of service (DoS) condition.

Mitigation

It is essential to address this vulnerability to protect your systems. The vendors have issued patches and updated versions of their software to fix the issue:

- Update ICONICS GENESIS64 to the latest version available on the ICONICS website.
- Update Mitsubishi Electric GENESIS64 and MC Works64 on the Mitsubishi Electric website.

Additionally, follow good cybersecurity practices, such as restricting user privileges, regularly updating software, and training staff to prevent unauthorized local access.

Timeline

Published on: 11/28/2024 23:15:03 UTC
Last modified on: 12/06/2024 06:15:22 UTC