Mitsubishi Electric Corporation released an advisory on July 18, 2024, detailing a critical vulnerability in its MELSOFT MaiLab software, identified as CVE-2023-4807. This issue, affecting versions 1.00A to 1.05F of the MELSOFT MaiLab SW1DND-MAILAB-M and SW1DND-MAILABPR-M, results from improper verification of cryptographic signatures due to flawed implementation of the POLY1305 message authentication code in the OpenSSL library. The vulnerability carries a CVSS v4 score of 8.2, indicating a high severity with the potential for remote exploitation.
The vulnerability could enable an attacker to cause a denial-of-service (DoS) condition on the affected software. Exploitation requires an attacker to interact with the software in a way that triggers the flawed cryptographic process, leading to potential disruptions in service. The risk is particularly significant given the software’s use in critical manufacturing sectors globally, making it a high-priority issue for users to address.
Mitsubishi Electric advises affected users to upgrade to MELSOFT MaiLab version 1.06G or later to mitigate the risk. The company recommends additional security measures such as using firewalls and VPNs to restrict unauthorized access, securing physical access to the installation environment, and avoiding untrusted web links and attachments. These steps are aimed at reducing the likelihood of successful exploitation of the vulnerability.
The Cybersecurity and Infrastructure Security Agency (CISA) has been informed of the vulnerability and underscores the importance of implementing robust security practices to protect against such risks. CISA provides guidance on mitigating vulnerabilities, including network segmentation and comprehensive risk assessments. Organizations are encouraged to follow these recommendations to enhance the security of their industrial control systems and report any suspicious activity to CISA for further analysis.