Show vulnerabilities with patch / with exploit

Privilege escalation in Mitsubishi Electric Multiple Factory Automation Engineering Software Products



Published: 2020-07-31
Severity Medium
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2020-14496
CWE ID CWE-264
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
CPU Module Logging Configuration Tool
Client/Desktop applications / Software for system administration

CW Configurator
Client/Desktop applications / Software for system administration

Mitsubishi Electric FR Configurator2
Client/Desktop applications / Software for system administration

GT Designer3
Client/Desktop applications / Software for system administration

GX LogViewer
Client/Desktop applications / Software for system administration

GX Works2
Client/Desktop applications / Software for system administration

GX Works3
Client/Desktop applications / Software for system administration

M_CommDTM-HART
Client/Desktop applications / Software for system administration

M_CommDTM-IO-Link
Client/Desktop applications / Software for system administration

MELFA-Works
Client/Desktop applications / Software for system administration

MELSOFT FieldDeviceConfigurator
Client/Desktop applications / Software for system administration

MELSOFT Navigator
Client/Desktop applications / Software for system administration

MI Configurator
Client/Desktop applications / Software for system administration

MR Configurator2
Client/Desktop applications / Software for system administration

MT Works2
Client/Desktop applications / Software for system administration

RT ToolBox2
Client/Desktop applications / Software for system administration

RT ToolBox3
Client/Desktop applications / Software for system administration

Data Transfer
Other software / Other software solutions

EZSocket
Other software / Other software solutions

MH11 SettingTool Version2
Other software / Other software solutions

Setting/monitoring tools for the C Controller module
Other software / Other software solutions

GT SoftGOT1000 Version3
Server applications / SCADA systems

GT SoftGOT2000 Version1
Server applications / SCADA systems

MELSEC WinCPU Setting Utility
Operating systems & Components / Operating system package or component

MELSOFT EM Software Development Kit
Hardware solutions / Firmware

Motorizer
Client/Desktop applications / Other client software

PX Developer
Client/Desktop applications / Other client software

MX Component
Universal components / Libraries / Libraries used by multiple products

Network Interface Board CC IE Control utility
Server applications / Other server solutions

Network Interface Board CC IE Field Utility
Server applications / Other server solutions

Network Interface Board CC-Link Ver.2 Utility
Server applications / Other server solutions

Network Interface Board MNETH utility
Server applications / Other server solutions

Vendor Mitsubishi Electric

Security Advisory

This security advisory describes one medium risk vulnerability.

1) Permissions, Privileges, and Access Controls

Severity: Medium

CVSSv3: 6.5 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-14496

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

CPU Module Logging Configuration Tool: -, 1.100E

CW Configurator: -, 1.010L

Data Transfer: -, 3.40S

EZSocket: -, 4.5

Mitsubishi Electric FR Configurator2: -, 1.22Y

GT Designer3: -, 1.235V

GT SoftGOT1000 Version3: -

GT SoftGOT2000 Version1: -, 1.235V

GX LogViewer: -, 1.100E

GX Works2: -, 1.592S

GX Works3: -, 1.063R

M_CommDTM-HART: -, 1.00A

M_CommDTM-IO-Link: -

MELFA-Works: -, 4.3

MELSEC WinCPU Setting Utility: -

MELSOFT EM Software Development Kit: -, 1.010L

MELSOFT FieldDeviceConfigurator: -, 1.03D

MELSOFT Navigator: -, 2.62Q

MH11 SettingTool Version2: -, 2.002C

MI Configurator: -

Motorizer: -, 1.005F

MR Configurator2: -, 1.105K

MT Works2: -, 1.156N

MX Component: -, 4.19V

Network Interface Board CC IE Control utility: -

Network Interface Board CC IE Field Utility: -

Network Interface Board CC-Link Ver.2 Utility: -

Network Interface Board MNETH utility: -

PX Developer: -, 1.52E

RT ToolBox2: -, 3.72A

RT ToolBox3: -, 1.70Y

Setting/monitoring tools for the C Controller module: -

CPE External links

https://ics-cert.us-cert.gov/advisories/icsa-20-212-02

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.