Mitsubishi Patches Vulnerabilities Disclosed at ICS Hacking Contest

Mitsubishi Electric and its subsidiary ICONICS have released patches for the vulnerabilities disclosed earlier this year at the Pwn2Own Miami hacking competition, which focused on industrial control systems (ICS).

White hat hackers earned a total of $280,000 for the exploits they demonstrated at the Zero Day Initiative’s Pwn2Own contest in January, including $80,000 for vulnerabilities found in ICONICS’s Genesis64 HMI/SCADA product.

The researchers who successfully hacked the ICONICS product were Pedro Ribeiro and Radek Domanski of Flashback team; Tobias Scharnowski, Niklas Breitfeld and Ali Abbasi from the Horst Goertz Institute for IT-Security; Yehuda Anikster of Claroty; and Steven Seeley and Chris Anastasio of Incite team.

They reported five critical and high-severity vulnerabilities to ICONICS, including ones that allow a remote attacker to execute arbitrary code and launch denial-of-service (DoS) attacks by sending specially crafted packets to the targeted system. One vulnerability can allow an attacker to execute arbitrary SQL commands.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

The flaws impact Genesis64, Hyper Historian, AnalytiX, MobileHMI, Genesis32 and BizViz. The same vulnerabilities have also been found to impact Mitsubishi’s MC Works64 and MC Works32 SCADA software. Separate advisories have been published for the affected ICONICS and Mitsubishi products by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the vendors.

ZDI told Secur ..