CVE-2024-1574
📋 TL;DR
This vulnerability allows a local attacker to execute arbitrary code with administrative privileges by tampering with an unprotected file in Mitsubishi Electric's GENESIS64, GENESIS32, ICONICS Suite, BizViz, and MC Works64 software. The unsafe reflection flaw enables attackers to load and execute malicious code through the licensing feature. Affected organizations include industrial control system operators using these supervisory control and data acquisition (SCADA) products.
💻 Affected Systems
- Mitsubishi Electric Iconics Digital Solutions GENESIS64
- Mitsubishi Electric GENESIS64
- Mitsubishi Electric Iconics Digital Solutions ICONICS Suite
- Mitsubishi Electric ICONICS Suite
- Mitsubishi Electric Iconics Digital Solutions GENESIS32
- Mitsubishi Electric GENESIS32
- Mitsubishi Electric Iconics Digital Solutions BizViz
- Mitsubishi Electric BizViz
- Mitsubishi Electric MC Works64
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with administrative privileges leading to disruption of industrial processes, data theft, or ransomware deployment on critical infrastructure systems.
Likely Case
Local privilege escalation allowing attackers to gain administrative control over the SCADA system, potentially enabling further lateral movement within industrial networks.
If Mitigated
Limited impact if proper access controls and file integrity monitoring are implemented, though the vulnerability still exists in the software.
🎯 Exploit Status
Exploitation requires local access to tamper with a specific file. The vulnerability details are publicly disclosed but no proof-of-concept exploit has been published as of the advisory dates.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: GENESIS64/ICONICS Suite: Update to version 10.97.3 or later; GENESIS32/BizViz: Update to version 9.8 or later; MC Works64: Update to version 4.0.500 or later
Vendor Advisory: https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2024-004_en.pdf
Restart Required: Yes
Instructions:
1. Download the latest version from Mitsubishi Electric's official website. 2. Backup current configuration and data. 3. Install the update following vendor instructions. 4. Restart the system as required. 5. Verify the update was successful by checking the version number.
🔧 Temporary Workarounds
Restrict file permissions
windowsApply strict access controls to the vulnerable licensing file to prevent unauthorized modifications.
icacls "C:\Path\To\Vulnerable\File" /deny Everyone:(F,M,WDAC,WEA,DC,DE,RC,RA,REA,X,WA)
Implement application whitelisting
windowsUse Windows Defender Application Control or similar solutions to prevent execution of unauthorized code.
🧯 If You Can't Patch
- Implement strict access controls to limit local user privileges on SCADA systems.
- Deploy file integrity monitoring to detect unauthorized modifications to system files.
🔍 How to Verify
Check if Vulnerable:
Check the installed version of GENESIS64, GENESIS32, ICONICS Suite, BizViz, or MC Works64 against the affected version ranges listed in the advisory.Check Version:
Check the version through the application's About dialog or installed programs list in Windows Control Panel.Verify Fix Applied:
Verify the software version has been updated to the patched versions: GENESIS64/ICONICS Suite ≥10.97.3, GENESIS32/BizViz ≥9.8, MC Works64 ≥4.0.500.📡 Detection & Monitoring
Log Indicators:
- Unauthorized file modifications to licensing-related files
- Unexpected process execution with administrative privileges
- Security event logs showing privilege escalation attempts
Network Indicators:
- Unusual outbound connections from SCADA systems
- Anomalous authentication patterns to administrative accounts
SIEM Query:
EventID=4688 AND (NewProcessName LIKE '%powershell%' OR NewProcessName LIKE '%cmd%') AND SubjectUserName NOT IN (authorized_users) AND ParentProcessName LIKE '%GENESIS%'🔗 References
- https://jvn.jp/vu/JVNVU98894016/
- https://www.cisa.gov/news-events/ics-advisories/icsa-24-184-03
- https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2024-004_en.pdf
- https://jvn.jp/vu/JVNVU98894016/
- https://www.cisa.gov/news-events/ics-advisories/icsa-24-184-03
- https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2024-004_en.pdf
