Aon’s Cyber Solutions discovered a security vulnerability affecting over 20 Mitsubishi Electric Air Conditioner Control Systems leading to information disclosure and/or denial of service via unauthenticated XML External Entity Injection (XXE). For a complete listing of affected systems, refer to the vendor advisory. The vulnerability was discovered by Howard McGreehan.
Aon would like to thank Mitsubishi Electric for working with us as part of our coordinated disclosure process.
Timeline:
04/14/21 – Initial disclosure to [email protected]
04/21/21 – Issue confirmed by Mitsubishi Electric
07/01/21 – Mitsubishi Electric patches and advisory released
07/06/21 – Aon advisory released
Vendor Advisory:
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-005_en.pdf
CISA Advisory:
https://us-cert.cisa.gov/ics/advisories/icsa-21-182-05
CVE-2021-20595: Unauthenticated XXE in Multiple Mitsubishi Electric Air Conditioner Control Systems
Overview
Multiple Mitsubishi Electric Air Conditioner Control Systems are vulnerable to unauthenticated XML External Entity Injection (XXE) attacks. This vulnerability can be triggered by sending an XXE payload to the process listening to the TCP port number 1025, which causes the application to make arbitrary HTTP and/or FTP requests. Exploiting this vulnerability may lead to information disclosure and/or denial of service on the affected system models and firmware versions.
Remediation
Refer to the vendor advisory for a complete list of firmware versions in which this vulnerability has been fixed and further instructions on how to upgrade the affected systems.
Author: Howard McGreehan
July 6, 2021
Copyright 2021 Aon Plc