2 critical vulnerabilities in Mitsubishi Electric Air Conditioning System allow hackers to play with the temperature & take control of the business network

Cybersecurity specialists report the detection of at least two critical flaws in the air conditioning systems of the technology company Mitsubishi Electric. According to the report, successful exploitation of the flaws would allow attackers to expose sensitive information or deploy cyberattacks against affected deployments.

Below is a brief report of the flaws detected, in addition to their respective identification keys and scores assigned by the Common Vulnerability Scoring System (CVSS).

CVE-2021-20593: This flaw resides in the web functions of Mitsubishi air conditioning systems and was described as a privilege escalation condition caused by a misapplication of the authentication algorithm.

The flaw received a CVSS score of 7.1/10 and its exploitation would allow threat actors to impersonate administrative users with and perform arbitrary configurations on the affected device.

This vulnerability resides in the following Mitsubishi air conditioning systems versions:

• G-50A: from v2.50 to v3.35
• GB-50A: from v2.50 to v3.35
• AG-150A-A: v3.20 and earlier
• AG-150A-J: v3.20 and earlier
• GB-50ADA-A: v3.20 and earlier
• GB-50ADA-J: v3.20 and earlier
• EB-50GU-A: v7.09 and earlier
• EB-50GU-J: v7.09 and earlier
• AE-200A: v7.93 and earlier
• AE-200E: v7.93 and earlier
• AE-50A: v7.93 and earlier
• AE-50E: v7.93 and earlier
• EW-50A: v7.93 and earlier
• EW-50E: v7.93 and earlier
• TE-200A: v7.93 and earlier
• TE-50A: v7.93 and earlier
• TW-50A: v7.93 and earlier
• CMS-RMD-J: v1.30 and earlier

CVE-2021-20595: On the other hand, this flaw exists because affected products do not adequately restrict references to XML external entities, which would allow the deployment of a denial of service (DoS) attacks.

This vulnerability received a CVSS score of 9.1/10, so it is considered a critical bug. The flaws reside in the following products and versions:

• G-50A: v3.35 and earlier
• GB-50A: v3.35 and earlier
• GB-24A: v9.11 and earlier
• AG-150A-A: v3.20 and earlier
• AG-150A-J: v3.20 and earlier
• GB-50ADA-A: v3.20 and earlier
• GB-50ADA-J: v3.20 and earlier
• EB-50GU-A: v7.09 and earlier
• EB-50GU-J: v7.09 and earlier
• AE-200A: v7.93 and earlier
• AE-200E: v7.93 and earlier
• AE-50A: v7.93 and earlier
• AE-50E: v7.93 and earlier
• EW-50A: v7.93 and earlier
• EW-50E: v7.93 and earlier
• TE-200A: v7.93 and earlier
• TE-50A: v7.93 and earlier
• TW-50A: v7.93 and earlier
• CMS-RMD-J: v1.30 and earlier

These two flaws were reported to the Cybersecurity and Infrastructure Security Agency (CISA) through The Zero Day Initiative (ZDI).

Mitsubishi has already issued updates for each affected deployment, so users are advised to update as soon as possible to prevent any operational risks.

In case of not being able to update, CISA issued some recommendations to mitigate the risk:

• Do not click on web links or open unsolicited attachments via email
• Avoid email scams or social engineering campaigns and phishing attacks

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.