Multiple vulnerabilities in Mitsubishi Electric GT14 Model of GOT1000 Series



Published: 2020-11-05 | Updated: 2020-11-18
Risk High
Patch available YES
Number of vulnerabilities 6
CVE-ID CVE-2020-5644
CVE-2020-5645
CVE-2020-5646
CVE-2020-5647
CVE-2020-5648
CVE-2020-5649
CWE-ID CWE-119
CWE-384
CWE-476
CWE-284
CWE-88
CWE-399
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
GT1450-QMBDE
Hardware solutions / Firmware

GT1450-QLBDE
Hardware solutions / Firmware

GT1455HS-QTBDE
Hardware solutions / Firmware

GT1450HS-QMBDE
Hardware solutions / Firmware

CoreOS
Hardware solutions / Firmware

GT1455-QTBDE
Hardware solutions / Firmware

Vendor Mitsubishi Electric

Security Bulletin

This security bulletin contains information about 6 vulnerabilities.

1) Buffer overflow

EUVDB-ID: #VU48534

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-5644

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can send a specially crafted packet, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

GT1450-QMBDE: All versions

GT1450-QLBDE: All versions

GT1455HS-QTBDE: All versions

GT1450HS-QMBDE: All versions

CoreOS: 05.65.00

GT1455-QTBDE: All versions

External links

http://jvn.jp/vu/JVNVU99562395/index.html
http://us-cert.cisa.gov/ics/advisories/icsa-20-310-02
http://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-014.pdf
http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-014_en.pdf


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Session Fixation

EUVDB-ID: #VU48535

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-5645

CWE-ID: CWE-384 - Session Fixation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the session invalidation issue. A remote attacker can send a specially crafted packet and cause a denial of service condition on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

GT1450-QMBDE: All versions

GT1450-QLBDE: All versions

GT1455HS-QTBDE: All versions

GT1450HS-QMBDE: All versions

CoreOS: 05.65.00

GT1455-QTBDE: All versions

External links

http://jvn.jp/vu/JVNVU99562395/index.html
http://us-cert.cisa.gov/ics/advisories/icsa-20-310-02
http://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-014.pdf
http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-014_en.pdf


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) NULL Pointer Dereference

EUVDB-ID: #VU48536

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-5646

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can send a specially crafted packet and trigger denial of service condition on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

GT1450-QMBDE: All versions

GT1450-QLBDE: All versions

GT1455HS-QTBDE: All versions

GT1450HS-QMBDE: All versions

CoreOS: 05.65.00

GT1455-QTBDE: All versions

External links

http://jvn.jp/vu/JVNVU99562395/index.html
http://us-cert.cisa.gov/ics/advisories/icsa-20-310-02
http://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-014.pdf
http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-014_en.pdf


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Improper access control

EUVDB-ID: #VU48537

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-5647

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote attacker can send a specially crafted packet and gain unauthorized access to the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

GT1450-QMBDE: All versions

GT1450-QLBDE: All versions

GT1455HS-QTBDE: All versions

GT1450HS-QMBDE: All versions

CoreOS: 05.65.00

GT1455-QTBDE: All versions

External links

http://jvn.jp/vu/JVNVU99562395/index.html
http://us-cert.cisa.gov/ics/advisories/icsa-20-310-02
http://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-014.pdf
http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-014_en.pdf


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Improper Neutralization of Argument Delimiters in a Command

EUVDB-ID: #VU48538

Risk: Medium

CVSSv3.1: 7.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-5648

CWE-ID: CWE-88 - Improper Neutralization of Argument Delimiters in a Command

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability due to improper neutralization of argument delimiters in a command. A remote attacker on the local network can send a specially crafted packet and cause a denial-of-service condition or execute arbitrary code.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

GT1450-QMBDE: All versions

GT1450-QLBDE: All versions

GT1455HS-QTBDE: All versions

GT1450HS-QMBDE: All versions

CoreOS: 05.65.00

GT1455-QTBDE: All versions

External links

http://jvn.jp/vu/JVNVU99562395/index.html
http://us-cert.cisa.gov/ics/advisories/icsa-20-310-02
http://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-014.pdf
http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-014_en.pdf


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Resource management error

EUVDB-ID: #VU48539

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-5649

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application. A remote attacker can send a specially crafted packet and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

GT1450-QMBDE: All versions

GT1450-QLBDE: All versions

GT1455HS-QTBDE: All versions

GT1450HS-QMBDE: All versions

CoreOS: 05.65.00

GT1455-QTBDE: All versions

External links

http://jvn.jp/vu/JVNVU99562395/index.html
http://us-cert.cisa.gov/ics/advisories/icsa-20-310-02
http://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-014.pdf
http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-014_en.pdf


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###