Unauthenticated XXE in Multiple Mitsubishi Electric Air Conditioner Control Systems

Unauthenticated XXE in Multiple Mitsubishi Electric Air Conditioner Control Systems
July 6, 2021 3 mins

Unauthenticated XXE in Multiple Mitsubishi Electric Air Conditioner Control Systems

CVE-2021-20595: Unauthenticated XXE affecting multiple Mitsubishi Electric Air Conditioner Control Systems.

Aon’s Cyber Solutions discovered a security vulnerability affecting over 20 Mitsubishi Electric Air Conditioner Control Systems leading to information disclosure and/or denial of service via unauthenticated XML External Entity Injection (XXE). For a complete listing of affected systems, refer to the vendor advisory. The vulnerability was discovered by Howard McGreehan.

Aon would like to thank Mitsubishi Electric for working with us as part of our coordinated disclosure process.

Timeline:
  • 04/14/21 – Initial disclosure to [email protected]
  • 04/21/21 – Issue confirmed by Mitsubishi Electric
  • 07/01/21 – Mitsubishi Electric patches and advisory released
  • 07/06/21 – Aon advisory released
Vendor Advisory:
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-005_en.pdf
CISA Advisory:
https://us-cert.cisa.gov/ics/advisories/icsa-21-182-05

CVE-2021-20595: Unauthenticated XXE in Multiple Mitsubishi Electric Air Conditioner Control Systems

Overview

Multiple Mitsubishi Electric Air Conditioner Control Systems are vulnerable to unauthenticated XML External Entity Injection (XXE) attacks. This vulnerability can be triggered by sending an XXE payload to the process listening to the TCP port number 1025, which causes the application to make arbitrary HTTP and/or FTP requests. Exploiting this vulnerability may lead to information disclosure and/or denial of service on the affected system models and firmware versions.

Remediation

Refer to the vendor advisory for a complete list of firmware versions in which this vulnerability has been fixed and further instructions on how to upgrade the affected systems.

Aon’s Thought Leader
  • Howard McGreehan
    Manager, Security Testing, Cyber Solutions

About Cyber Solutions:

Aon’s Cyber Solutions offers holistic cyber risk management, unsurpassed investigative skills, and proprietary technologies to help clients uncover and quantify cyber risks, protect critical assets, and recover from cyber incidents.

General Disclaimer

This material has been prepared for informational purposes only and should not be relied on for any other purpose. You should consult with your own professional advisors or IT department before implementing any recommendation or following the guidance provided herein. Further, the information provided and the statements expressed are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources that we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.