Privilege escalation in Mitsubishi Electric Multiple Factory Automation Engineering Software Products
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2020-14496 |
| CWE-ID | CWE-264 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
CPU Module Logging Configuration Tool Client/Desktop applications / Software for system administration CW Configurator Client/Desktop applications / Software for system administration Mitsubishi Electric FR Configurator2 Client/Desktop applications / Software for system administration GT Designer3 Client/Desktop applications / Software for system administration GX LogViewer Client/Desktop applications / Software for system administration GX Works2 Client/Desktop applications / Software for system administration GX Works3 Client/Desktop applications / Software for system administration M_CommDTM-HART Client/Desktop applications / Software for system administration M_CommDTM-IO-Link Client/Desktop applications / Software for system administration MELFA-Works Client/Desktop applications / Software for system administration MELSOFT FieldDeviceConfigurator Client/Desktop applications / Software for system administration MELSOFT Navigator Client/Desktop applications / Software for system administration MI Configurator Client/Desktop applications / Software for system administration MR Configurator2 Client/Desktop applications / Software for system administration MT Works2 Client/Desktop applications / Software for system administration RT ToolBox2 Client/Desktop applications / Software for system administration RT ToolBox3 Client/Desktop applications / Software for system administration Data Transfer Other software / Other software solutions EZSocket Other software / Other software solutions MH11 SettingTool Version2 Other software / Other software solutions Setting/monitoring tools for the C Controller module Other software / Other software solutions GT SoftGOT1000 Version3 Server applications / SCADA systems GT SoftGOT2000 Version1 Server applications / SCADA systems MELSEC WinCPU Setting Utility Operating systems & Components / Operating system package or component MELSOFT EM Software Development Kit Hardware solutions / Firmware Motorizer Client/Desktop applications / Other client software PX Developer Client/Desktop applications / Other client software MX Component Universal components / Libraries / Libraries used by multiple products Network Interface Board CC IE Control utility Server applications / Other server solutions Network Interface Board CC IE Field Utility Server applications / Other server solutions Network Interface Board CC-Link Ver.2 Utility Server applications / Other server solutions Network Interface Board MNETH utility Server applications / Other server solutions |
| Vendor | Mitsubishi Electric |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU32955
Risk: Medium
CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-14496
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions, which leads to security restrictions bypass and privilege escalation.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCPU Module Logging Configuration Tool: - - 1.100E
CW Configurator: - - 1.010L
Data Transfer: - - 3.40S
EZSocket: - - 4.5
Mitsubishi Electric FR Configurator2: - - 1.22Y
GT Designer3: - - 1.235V
GT SoftGOT1000 Version3: All versions
GT SoftGOT2000 Version1: - - 1.235V
GX LogViewer: - - 1.100E
GX Works2: - - 1.592S
GX Works3: - - 1.063R
M_CommDTM-HART: - - 1.00A
M_CommDTM-IO-Link: All versions
MELFA-Works: - - 4.3
MELSEC WinCPU Setting Utility: All versions
MELSOFT EM Software Development Kit: - - 1.010L
MELSOFT FieldDeviceConfigurator: - - 1.03D
MELSOFT Navigator: - - 2.62Q
MH11 SettingTool Version2: - - 2.002C
MI Configurator: All versions
Motorizer: - - 1.005F
MR Configurator2: - - 1.105K
MT Works2: - - 1.156N
MX Component: - - 4.19V
Network Interface Board CC IE Control utility: All versions
Network Interface Board CC IE Field Utility: All versions
Network Interface Board CC-Link Ver.2 Utility: All versions
Network Interface Board MNETH utility: All versions
PX Developer: - - 1.52E
RT ToolBox2: - - 3.72A
RT ToolBox3: - - 1.70Y
Setting/monitoring tools for the C Controller module: All versions
CPE2.3- cpe:2.3:a:mitsubishi_electric:cpu_module_logging_configuration_tool:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:cpu_module_logging_configuration_tool:1.100E:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:cw_configurator:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:cw_configurator:1.010L:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:data_transfer:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:data_transfer:3.40S:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:ezsocket:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:ezsocket:4.5:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:mitsubishi_electric_fr_configurator2:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:mitsubishi_electric_fr_configurator2:1.22Y:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:gt_designer3:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:gt_softgot1000_version3:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:gt_softgot2000_version1:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:gx_logviewer:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:gx_works2:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:gx_works3:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:m_commdtm-hart:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:m_commdtm-io-link:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:melfa-works:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:melsec_wincpu_setting_utility:*:*:*:*:*:*:*:*
- cpe:2.3:h:mitsubishi_electric:melsoft_em_software_development_kit:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:melsoft_fielddeviceconfigurator:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:melsoft_navigator:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:mh11_settingtool_version2:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:mi_configurator:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:motorizer:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:mr_configurator2:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:mt_works2:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:mx_component:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:network_interface_board_cc_ie_control_utility:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:network_interface_board_cc_ie_field_utility:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:network_interface_board_cc-link_ver.2_utility:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:network_interface_board_mneth_utility:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:px_developer:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:rt_toolbox2:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:rt_toolbox3:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishi_electric:setting_monitoring_tools_for_the_c_controller_module:*:*:*:*:*:*:*:*
https://ics-cert.us-cert.gov/advisories/icsa-20-212-02
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
