SB2019072902 - Multiple vulnerabilities in Mitsubishi Electric FR Configurator2

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019072902

SB2019072902 - Multiple vulnerabilities in Mitsubishi Electric FR Configurator2

Published: July 29, 2019

Security Bulletin ID SB2019072902
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) XML External Entity injection (CVE-ID: CVE-2019-10976)

The vulnerability allows a local attacker to gain access to sensitive information.

The vulnerability exists due to the input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.frc2). A remote attacker can trick a victim to open a specially crafted file and read arbitrary files on the target system.

Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.


2) Resource exhaustion (CVE-ID: CVE-2019-10972)

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the CPU exhaustion when an attacker provides the target with a rogue project file (.frc2). A remote attacker can trick a victim to open the rogue project, trigger CPU exhaustion and cause the software to quit responding until the application is restarted.


Remediation

Install update from vendor's website.

References