Mitsubishi Electric GT25-WLAN (Update A)

1. EXECUTIVE SUMMARY

• CVSS v3 6.5
• ATTENTION: Exploitable remotely
• Vendor: Mitsubishi Electric
• Equipment: Wireless LAN communication unit GT25-WLAN in GOT2000 Series GT25 or GT27
• Vulnerabilities: Improper Removal of Sensitive Information Before Storage or Transfer, Inadequate Encryption Strength, Missing Authentication for Critical Function, Injection, Improper Input Validation

2. UPDATE INFORMATION

This updated advisory is a follow-up to the original advisory titled ICSA-22-102-04 Mitsubishi Electric GT25-WLAN that was published April 12, 2022, on the ICS webpage on cisa.gov/ics.

3. RISK EVALUATION

There are multiple vulnerabilities due to design flaws in the frame fragmentation functionality and the frame aggregation functionality in the Wireless Communication Standards IEEE 802.11. These vulnerabilities could allow an attacker to steal communication contents or inject unauthorized packets.

4. TECHNICAL DETAILS

4.1 AFFECTED PRODUCTS

The following versions of Wireless LAN communication unit GT25-WLAN in GOT2000 Series GT25 or GT27, are affected:

--------- Begin Update A Part 1 of 2 ---------

• GT25-WLAN: Version 01.39.000 and earlier

--------- End Update A Part 1 of 2 ---------

4.2 VULNERABILITY OVERVIEW

4.2.1    IMPROPER REMOVAL OF SENSITIVE INFORMATION BEFORE STORAGE OR TRANSFER CWE-212

The affected product is vulnerable to a fragment cache attack as it does not clear fragments from memory when (re)connecting. This may allow an attacker to steal communication contents or inject unauthorized packets.

CVE-2020-24586 has been assigned to this vulnerability. A CVSS v3 base score of 3.5 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N).

4.2.2    INADEQUATE ENCRYPTION STRENGTH CWE-326

The affected product is vulnerable to a mixed key attack as it reassembles fragments encrypted under different keys. This may allow an attacker to steal communication contents.

CVE-2020-24587 has been assigned to this vulnerability. A CVSS v3 base score of 2.6 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).

4.2.3    MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

The affected product is vulnerable to an aggregation attack as it accepts non-SPP A-MSDU frames. This may allow an attacker to inject unauthorized packets.

CVE-2020-24588 has been assigned to this vulnerability. A CVSS v3 base score of 3.5 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N).

4.2.4    IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A DOWNSTREAM COMPONENT ('INJECTION') CWE-74

The affected product can accept plaintext data frames in a protected network. This may allow an attacker to inject unauthorized packets.

CVE-2020-26140 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

4.2.5    IMPROPER INPUT VALIDATION CWE-20

The affected product is vulnerable to accepting fragmented plaintext data frames in a protected network. This may allow an attacker to inject unauthorized packets.

CVE-2020-26143 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

4.2.6    IMPROPER INPUT VALIDATION CWE-20

The affected product can accept plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL in an encrypted network. This may allow an attacker to inject unauthorized packets.

CVE-2020-26144 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

4.2.7    IMPROPER INPUT VALIDATION CWE-20

The affected product can reassemble encrypted fragments with non-consecutive packet numbers. This may allow an attacker to steal communication contents.

CVE-2020-26146 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

4.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Japan

4.4 RESEARCHER

Mitsubishi Electric reported these vulnerabilities to CISA.

5. MITIGATIONS

Mitsubishi Electric has provided the following mitigations or workarounds.

-------- Begin Update A Part 2 of 2 ---------

For users who use the affected products and versions, please update to the fixed versions by following the steps:

Check the versions in use by referencing GOT2000 Series User's Manual (Utility) (SH-081195ENG), 6.9 Package Data Management – “Property operation.”

The latest version of the manual is available from Mitsubishi Electric FA Global Website.

Fixed versions

Install system applications (extended function) “Wireless LAN” v01.45.000 or later.

• Fixed system applications (extended function) “Wireless LAN” is included in GT Designer3 Version 1 (GOT2000) v1.275M or later.
• This does not include countermeasures for CVE-2020-26146

Users are encouraged to follow the following update procedure:

1. Download and install the fixed version of MELSOFT GT Designer3 (GOT2000). Please contact a Mitsubishi Electric representative about MELSOFT GT Designer3 (GOT2000).
2. Start the MELSOFT GT Designer3 (GOT2000) and open the project data used in affected products.
3. Select [Write to GOT] from [Communication] menu to write the required package data to the GOT. Please refer to “4. COMMUNICATING WITH GOT” in the GT Designer3 (GOT2000) Screen Design Manual (SH-081220ENG).
4. After writing the required package data to the GOT, refer to the “How to check the versions in use” and check the fixed versions.

-------- End Update A Part 2 of 2 ---------

When using the wireless LAN communication unit as an access point, check if the wireless LAN communication unit settings are as follows.

• For the passphrase used for wireless LAN, avoid settings that can be guessed from the consecutive numbers and MAC address, and set an unpredictable passphrase combining letters and numbers.
• Use WPA or WPA2 as the security authentication method for wireless LAN.
• Use the IP filter function*1 to restrict the accessible IP addresses.
  • *1- Refer to GT Designer3 (GOT2000) Screen Design Manual (SH-081220ENG) “5.4.3 Setting the IP filter”

When using the wireless LAN communication unit as a station, check if the router settings are as follows:

• For the passphrase used for wireless LAN, avoid settings that can be guessed from the consecutive numbers and MAC address, and set an unpredictable passphrase combining letters and numbers.
• Use WPA or WPA2 as the security authentication method for wireless LAN.
• If you change the router settings, hide its presence on the Internet to make it difficult for unauthorized access. (e.g., set to not respond to PING requests).
• Set password for the router’s Management portal, which is difficult to be identified.

Check the following when using a computer or tablet, etc., on the same network.

• Update Antivirus software to the latest version.
• Do not open or access suspicious attachment file or linked URL.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

• Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolate them from the business network.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.



CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov/ics in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.



Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.