SUMMARY
An authentication bypass vulnerability exists in the webserver session identifier generation functionality of the Mitsubishi Electric Corporation’s MELSEC iQ-F FX5U v1.240. A specially crafted HTTP request can lead to session cookie leak. An attacker can send a series of HTTP requests to trigger this vulnerability.
CONFIRMED VULNERABLE VERSIONS
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Mitsubishi Electric Corporation MELSEC iQ-F FX5U v1.240
PRODUCT URLS
MELSEC iQ-F FX5U - https://www.mitsubishielectric.com/fa/products/cnt/plcf/items/index.html
CVSSv3 SCORE
7.1 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
CWE
CWE-342 - Predictable Exact Value from Previous Values
DETAILS
The iQ-F FX5U is one of several members of the iQ-F series of Programmable Logic Controllers from Mitsubishi. The FX5U comes with built-in processor, power supply, ethernet and 16 I/O points. The PLC can be configured to host several network services, such as an HTTP Server, FTP Server, FTP Client, MODBUS/TCP interface and several Mitsubishi specific protocols.
The authentication flow for the web server begins with the user navigating to /system/Log-in.html. On this page is a standard authentication prompt requesting a username and password. When those values are submitted, Javascript on the page initiates two POST requests, the first to /cgi/GetRndNum.cgi and the second to /cgi/login.cgi.
The first request to GetRndNum is required to collect a 32-byte long random number that will be effectively used as a client-side salt. This request is un ..
Support the originator by clicking the read the rest link below.
