CVE-2020-12011
📋 TL;DR
This vulnerability allows attackers to send specially crafted packets to affected industrial control systems, potentially causing denial-of-service or remote code execution. It affects Mitsubishi Electric MC Works and ICONICS software used in industrial environments. Systems with these products exposed to untrusted networks are at highest risk.
💻 Affected Systems
- Mitsubishi Electric MC Works64
- Mitsubishi Electric MC Works32
- ICONICS GenBroker64
- ICONICS Platform Services
- ICONICS Workbench
- ICONICS FrameWorX Server
- ICONICS GenBroker32
📦 What is this software?
Bizviz by Iconics
Genesis32 by Iconics
Genesis64 by Iconics
Mc Works by Mitsubishielectric
Mc Works32 by Mitsubishielectric
Mobilehmi by Iconics
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with SYSTEM/root privileges leading to complete system compromise, process disruption, and potential physical safety impacts in industrial environments.
Likely Case
Denial-of-service causing system crashes and disruption to industrial processes, with potential for limited code execution in memory corruption scenarios.
If Mitigated
No impact if systems are properly segmented and not exposed to untrusted networks, with network controls blocking malicious packets.
🎯 Exploit Status
CWE-787 (Out-of-bounds Write) suggests memory corruption vulnerability; unauthenticated network access required; complexity likely low given CVSS 9.8 score and ICS-CERT advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: MC Works64: versions after 4.02C; MC Works32: versions after 3.00A; ICONICS: versions after 10.96 (64-bit), after 9.5 (32-bit)
Vendor Advisory: https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02, https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03
Restart Required: Yes
Instructions:
1. Contact Mitsubishi Electric or ICONICS for updated software versions. 2. Apply patches according to vendor instructions. 3. Restart affected systems. 4. Test in non-production environment first. 5. Verify patch application.
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected systems from untrusted networks using firewalls and network segmentation.
Port Restriction
windowsBlock unnecessary ports and restrict access to only trusted IP addresses.
# Windows firewall example (adjust ports as needed)
netsh advfirewall firewall add rule name="Block MC Works Ports" dir=in action=block protocol=TCP localport=1234,5678
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems from untrusted networks.
- Deploy intrusion detection/prevention systems to monitor for and block malicious packets targeting this vulnerability.
🔍 How to Verify
Check if Vulnerable:
Check software version against affected versions list; review system logs for unexpected communication packets or crashes.Check Version:
# Check version through software interface or vendor documentation; no universal command available.Verify Fix Applied:
Verify installed version is newer than affected versions; test system stability with normal communication patterns.📡 Detection & Monitoring
Log Indicators:
- Unexpected system crashes or restarts
- Abnormal network traffic patterns to industrial control ports
- Memory access violations in application logs
Network Indicators:
- Unusual packet patterns to industrial control system ports
- Traffic from unexpected sources to affected services
- Protocol anomalies in SCADA/ICS communications
SIEM Query:
source="industrial_control_system" AND (event_type="crash" OR event_type="memory_violation") OR dest_port IN (common_industrial_ports)