ICONICS GENESIS64 and Mitsubishi Electric MC Works64 OPC UA

1. EXECUTIVE SUMMARY

• CVSS v3 7.5 *ATTENTION: Exploitable remotely/low attack complexity
• Vendors: ICONICS, Mitsubishi Electric
• **Equipment:**ICONICS GENESIS64, Mitsubishi Electric MC Works64
• **Vulnerability:**Uncontrolled Recursion

2. RISK EVALUATION

Successful exploitation of this vulnerability could trigger a stack overflow.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following ICONICS and Mitsubishi Electric modules are affected in some third-party OPC Foundation products:

• GENESIS64: Versions 10.97 and prior
• Hyper Historian: Versions 10.97 and prior
• AnalytiX: Versions 10.97 and prior
• MobileHMI: Versions 10.97 and prior
• MC Works64: Versions 4.04E and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 UNCONTROLLED RECURSION CWE-674

The affected products are vulnerable to an uncontrollable recursion, which may trigger a stack-based buffer overflow.

CVE-2021-27432 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
• **COUNTRIES/AREAS DEPLOYED:**Worldwide
• **COMPANY HEADQUARTERS LOCATION:**ICONICS is headquartered in the United States. Mitsubishi Electric is headquartered in Japan.

3.4 RESEARCHER

Eran Jacob with the Otorio Research Team reported this vulnerability to CISA.

4. MITIGATIONS

ICONICS and Mitsubishi Electric are releasing Critical Fix Rollup packages or patches that will include the solution to this vulnerability. GENESIS64 Versions 10.97.1 and later will not be vulnerable to this exploit.

ICONICS and Mitsubishi Electric recommend users take the following mitigations:

• Place control system networks and devices behind firewalls to isolate them from the business network.
• Minimize network exposure for all control system devices. Control system devices should not directly face the Internet.
• Do not click web links or open unsolicited attachments in e-mail messages.
• Leverage OPC UA security and certificates to ensure ICONICS products only connect to trusted OPC UA servers and clients.
• Install the applicable Critical Fixes Rollup, if available.

ICONICS provides information and useful links related to its security updates at its company website.

Mitsubishi Electric provides information and useful links related to its security updates its company website.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

• Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.