CVE-2021-20595: Unauthenticated XXE affecting multiple Mitsubishi Electric Air Conditioner Control Systems.
Stroz Friedberg’s Cyber Solutions discovered a security vulnerability affecting over 20 Mitsubishi Electric Air Conditioner Control Systems leading to information disclosure and/or denial of service via unauthenticated XML External Entity Injection (XXE). For a complete listing of affected systems, refer to the vendor advisory. The vulnerability was discovered by Howard McGreehan.
Stroz Friedberg would like to thank Mitsubishi Electric for working with us as part of our coordinated disclosure process.
Timeline:
- 04/14/21 – Initial disclosure to Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp
- 04/21/21 – Issue confirmed by Mitsubishi Electric
- 07/01/21 – Mitsubishi Electric patches and advisory released
- 07/06/21 – Stroz Friedberg advisory released
Vendor Advisory:
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-005_en.pdf
CISA Advisory:
https://us-cert.cisa.gov/ics/advisories/icsa-21-182-05
CVE-2021-20595: Unauthenticated XXE in Multiple Mitsubishi Electric Air Conditioner Control Systems
Overview
Multiple Mitsubishi Electric Air Conditioner Control Systems are vulnerable to unauthenticated XML External Entity Injection (XXE) attacks. This vulnerability can be triggered by sending an XXE payload to the process listening to the TCP port number 1025, which causes the application to make arbitrary HTTP and/or FTP requests. Exploiting this vulnerability may lead to information disclosure and/or denial of service on the affected system models and firmware versions.
Remediation
Refer to the vendor advisory for a complete list of firmware versions in which this vulnerability has been fixed and further instructions on how to upgrade the affected systems.
