CVE-2023-3373 in GOT SIMPLE
Summary
by MITRE • 08/04/2023
Predictable Exact Value from Previous Values vulnerability in Mitsubishi Electric Corporation GOT2000 Series GT21 model versions 01.49.000 and prior and GOT SIMPLE Series GS21 model versions 01.49.000 and prior allows a remote unauthenticated attacker to hijack data connections (session hijacking) or prevent legitimate users from establishing data connections (to cause DoS condition) by guessing the listening port of the data connection on FTP server and connecting to it.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 08/26/2023
The vulnerability identified as CVE-2023-3373 represents a significant security weakness in Mitsubishi Electric Corporation's industrial automation systems, specifically affecting the GOT2000 Series GT21 and GOT SIMPLE Series GS21 models. This flaw resides in the FTP server implementation of these industrial control devices, creating a predictable pattern that enables remote attackers to exploit the system's network communication protocols. The vulnerability stems from the system's inability to generate truly random port numbers for data connections, instead relying on patterns that can be easily guessed by malicious actors. This predictable behavior fundamentally undermines the security of the communication channels used by these industrial devices, which are critical for manufacturing and process control environments.
The technical nature of this vulnerability aligns with CWE-338, which addresses the use of cryptographically weak pseudo-random number generators, and represents a classic case of session hijacking through port prediction. The flaw operates at the network protocol level where the FTP server establishes data connections using a predictable sequence for port allocation. Attackers can exploit this by scanning the network to identify the specific port numbers that the system will use for subsequent data connections, effectively allowing them to establish unauthorized connections to the FTP server. This mechanism bypasses normal authentication procedures and creates opportunities for both unauthorized data access and service disruption. The vulnerability specifically impacts the passive FTP mode where the server provides port information to the client, making the port selection predictable rather than random.
The operational impact of this vulnerability extends beyond simple unauthorized access to encompass potential industrial control system compromise and operational disruption. Remote attackers can leverage this weakness to perform session hijacking, gaining access to sensitive operational data, configuration parameters, or control commands that flow through the FTP connections. Additionally, the vulnerability enables denial-of-service conditions where attackers can prevent legitimate users from establishing valid data connections, potentially disrupting manufacturing processes or industrial operations that depend on these communication channels. The implications are particularly severe in industrial environments where continuous operation and data integrity are paramount, as this vulnerability could lead to production halts, data corruption, or unauthorized modifications to control parameters that govern critical processes.
Organizations should implement immediate mitigations including network segmentation to isolate affected industrial systems from general network access, deployment of firewall rules to restrict FTP traffic to authorized IP addresses only, and implementation of network monitoring to detect unusual connection patterns. The affected systems should be updated to the latest firmware versions provided by Mitsubishi Electric Corporation that address the predictable port generation issue. Security teams should also consider implementing intrusion detection systems that can identify attempts to connect to predicted ports or establish unauthorized FTP sessions. Additionally, organizations should conduct comprehensive vulnerability assessments of their industrial control systems to identify other potential weaknesses in network communication protocols and ensure proper network architecture that minimizes exposure to such attacks. This vulnerability demonstrates the critical importance of robust randomization in network security implementations and aligns with ATT&CK technique T1190 for exploitation of remote services, highlighting the need for proper security controls in industrial environments.