CVE-2023-2061 in MELSEC iQ-R
Summary
by MITRE • 06/02/2023
Use of Hard-coded Password vulnerability in FTP function on Mitsubishi Electric Corporation MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP allows a remote unauthenticated attacker to obtain a hard-coded password and access to the module via FTP.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/29/2023
The vulnerability CVE-2023-2061 represents a critical security flaw in Mitsubishi Electric Corporation's industrial automation equipment, specifically affecting the MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP. This issue falls under the CWE-798 category of use of hard-coded credentials, which is a fundamental security weakness that exposes systems to unauthorized access. The vulnerability stems from the inclusion of a default password within the firmware of these industrial network modules, creating a persistent security risk that remains active regardless of system configuration or user management practices.
The technical implementation of this flaw involves hardcoded authentication credentials within the FTP service functionality of the affected modules. When these devices are deployed in industrial environments, the hard-coded password becomes accessible to any remote attacker who can reach the device through the network. This allows unauthorized individuals to establish FTP connections and gain access to the module's file system, configuration parameters, and potentially the broader industrial network. The vulnerability is particularly concerning because it does not require authentication credentials to be compromised through social engineering or other attack vectors - the password is simply embedded within the device firmware itself.
From an operational perspective, the impact of this vulnerability extends beyond simple unauthorized access to encompass potential compromise of entire industrial control systems. The affected modules serve as network gateways and communication interfaces within industrial environments, making them prime targets for attackers seeking to infiltrate critical infrastructure. Remote exploitation of this vulnerability enables attackers to modify device configurations, upload malicious software, or exfiltrate sensitive operational data. The implications are particularly severe in industrial settings where these modules may be connected to critical processes, as unauthorized access could lead to production disruptions, safety hazards, or even physical damage to equipment. The vulnerability also aligns with ATT&CK technique T1078.004 for valid accounts and T1566.001 for spearphishing, as attackers can leverage the hardcoded credentials to establish persistent access and potentially escalate privileges within the industrial network.
Mitigation strategies for this vulnerability require immediate action from system administrators and industrial security teams. The primary recommendation involves updating the firmware to versions that address the hardcoded password issue, which Mitsubishi Electric has released to resolve the vulnerability. Organizations should also implement network segmentation to isolate these modules from critical network segments and apply firewall rules to restrict FTP access to authorized management systems only. Additional security measures include disabling unnecessary services such as FTP when not required, implementing network monitoring to detect unauthorized access attempts, and conducting comprehensive vulnerability assessments of industrial control systems. The remediation process must be carefully coordinated with operational requirements to minimize disruption to industrial processes while ensuring the security of critical infrastructure components.