CVE-2022-25156 in MELSEC iQ-F FX5U(C)info

Summary

by MITRE • 04/02/2022

Use of Weak Hash vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions and Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions allows a remote unauthenticated attacker to login to the product by using a password reversed from a previously eavesdropped password hash.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 04/05/2022

The vulnerability CVE-2022-25156 represents a critical security flaw in Mitsubishi Electric's industrial automation products, specifically affecting the MELSEC iQ-F series FX5U(C) and FX5UJ CPUs across all versions. This weakness falls under the category of weak cryptographic hash usage, where the system employs insufficient hashing algorithms that can be reverse-engineered or cracked through rainbow table attacks and password recovery techniques. The vulnerability creates a significant attack surface for remote unauthenticated adversaries who can exploit this flaw to gain unauthorized access to industrial control systems without requiring prior credentials or physical access to the equipment.

The technical implementation of this vulnerability stems from the use of inadequate cryptographic primitives within the authentication mechanism of these industrial controllers. When users set passwords for accessing the system, the device stores a hash of that password rather than the plaintext credential itself. However, the hashing algorithm employed is considered weak by modern security standards, typically utilizing outdated or insufficiently complex hashing functions such as MD5 or weak SHA-1 implementations that are vulnerable to preimage attacks. This weakness allows attackers who have previously eavesdropped on network traffic containing password hashes to reverse engineer the original passwords through various computational methods, including brute force, dictionary attacks, or leveraging precomputed hash tables.

The operational impact of this vulnerability extends beyond simple unauthorized access, as it fundamentally compromises the integrity and confidentiality of industrial control systems. In industrial environments where these controllers manage critical processes, unauthorized access can lead to production disruptions, safety hazards, and potential physical damage to equipment. The remote nature of the attack means that adversaries can exploit this weakness from anywhere on the network, eliminating the need for physical presence or insider knowledge. This vulnerability particularly affects Manufacturing Execution Systems and Supervisory Control and Data Acquisition (SCADA) environments where Mitsubishi Electric devices are commonly deployed, potentially allowing attackers to manipulate process controls, alter production parameters, or disable safety mechanisms.

The exploitation of this vulnerability aligns with several ATT&CK framework techniques including T1110.003 (Password Policy Violations) and T1078.004 (Valid Accounts: Cloud Accounts) where attackers leverage weak authentication mechanisms to gain access to systems. From a CWE perspective, this vulnerability maps to CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) and CWE-328 (Use of Weak Hash). Organizations should implement immediate mitigations including firmware updates from Mitsubishi Electric, network segmentation to isolate these critical systems, and implementation of additional authentication layers such as two-factor authentication where possible. The vulnerability underscores the importance of cryptographic best practices in industrial control systems and highlights the need for regular security assessments of embedded systems used in critical infrastructure environments.

Reservation

02/14/2022

Disclosure

04/02/2022

Moderation

accepted

CPE

ready

EPSS

0.01209

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!