Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 2 |
CVE-ID | CVE-2021-20587 CVE-2021-20588 |
CWE-ID | CWE-122 CWE-130 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software |
Setting/monitoring tools for the C Controller module Other software / Other software solutions Data Transfer Other software / Other software solutions EZSocket Other software / Other software solutions MH11 SettingTool Version2 Other software / Other software solutions CPU Module Logging Configuration Tool Client/Desktop applications / Software for system administration CW Configurator Client/Desktop applications / Software for system administration Mitsubishi Electric FR Configurator2 Client/Desktop applications / Software for system administration FR Configurator Client/Desktop applications / Software for system administration FR Configurator SW3 Client/Desktop applications / Software for system administration GT Designer3 Client/Desktop applications / Software for system administration GX Configurator-DP Client/Desktop applications / Software for system administration GX Configurator-QP Client/Desktop applications / Software for system administration GX Developer Client/Desktop applications / Software for system administration GX LogViewer Client/Desktop applications / Software for system administration GX RemoteService-I Client/Desktop applications / Software for system administration GX Works2 Client/Desktop applications / Software for system administration GX Works3 Client/Desktop applications / Software for system administration M_CommDTM-HART Client/Desktop applications / Software for system administration M_CommDTM-IO-Link Client/Desktop applications / Software for system administration MELFA-Works Client/Desktop applications / Software for system administration MELSOFT EM Software Development Kit (EM Configurator) Client/Desktop applications / Software for system administration MELSOFT Navigator Client/Desktop applications / Software for system administration MI Configurator Client/Desktop applications / Software for system administration MT Works2 Client/Desktop applications / Software for system administration RT ToolBox2 Client/Desktop applications / Software for system administration RT ToolBox3 Client/Desktop applications / Software for system administration SLMP Data Collector Client/Desktop applications / Software for system administration GT SoftGOT1000 Version3 Server applications / SCADA systems GT SoftGOT2000 Version1 Server applications / SCADA systems MELSEC WinCPU Setting Utility Operating systems & Components / Operating system package or component MX Component Universal components / Libraries / Libraries used by multiple products Network Interface Board CC IE Control utility Server applications / Other server solutions Network Interface Board CC IE Field Utility Server applications / Other server solutions Network Interface Board CC-Link Ver.2 Utility Server applications / Other server solutions Network Interface Board MNETH utility Server applications / Other server solutions PX Developer Client/Desktop applications / Other client software |
Vendor | Mitsubishi Electric |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
EUVDB-ID: #VU50839
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-20587
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error. A remote attacker can spoof MELSEC, GOT or FREQROL and return crafted reply packets, trigger heap-based buffer overflow and cause a denial of service condition on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSetting/monitoring tools for the C Controller module: All versions
CPU Module Logging Configuration Tool: All versions
CW Configurator: All versions
Data Transfer: All versions
EZSocket: All versions
Mitsubishi Electric FR Configurator2: All versions
FR Configurator: All versions
FR Configurator SW3: All versions
GT Designer3: All versions
GT SoftGOT1000 Version3: All versions
GT SoftGOT2000 Version1: All versions
GX Configurator-DP: - - 7.14Q
GX Configurator-QP: All versions
GX Developer: All versions
GX LogViewer: All versions
GX RemoteService-I: All versions
GX Works2: - - 1.597X
GX Works3: - - 1.070Y
M_CommDTM-HART: All versions
M_CommDTM-IO-Link: All versions
MELFA-Works: All versions
MELSEC WinCPU Setting Utility: All versions
MELSOFT EM Software Development Kit (EM Configurator): All versions
MELSOFT Navigator: All versions
MH11 SettingTool Version2: All versions
MI Configurator: All versions
MT Works2: All versions
MX Component: All versions
Network Interface Board CC IE Control utility: All versions
Network Interface Board CC IE Field Utility: All versions
Network Interface Board CC-Link Ver.2 Utility: All versions
Network Interface Board MNETH utility: All versions
PX Developer: All versions
RT ToolBox2: All versions
RT ToolBox3: All versions
SLMP Data Collector: All versions
CPE2.3https://jvn.jp/vu/JVNVU92330101/index.html
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-021_en.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU50840
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-20588
CWE-ID:
CWE-130 - Improper Handling of Length Parameter Inconsistency
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper handling of length parameter inconsistency. A remote attacker can spoof MELSEC, GOT or FREQROL, return crafted reply packets and cause a denial of service condition on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSetting/monitoring tools for the C Controller module: All versions
CPU Module Logging Configuration Tool: All versions
CW Configurator: All versions
Data Transfer: All versions
EZSocket: All versions
Mitsubishi Electric FR Configurator2: All versions
FR Configurator: All versions
FR Configurator SW3: All versions
GT Designer3: All versions
GT SoftGOT1000 Version3: All versions
GT SoftGOT2000 Version1: All versions
GX Configurator-DP: - - 7.14Q
GX Configurator-QP: All versions
GX Developer: All versions
GX LogViewer: All versions
GX RemoteService-I: All versions
GX Works2: - - 1.597X
GX Works3: - - 1.070Y
M_CommDTM-HART: All versions
M_CommDTM-IO-Link: All versions
MELFA-Works: All versions
MELSEC WinCPU Setting Utility: All versions
MELSOFT EM Software Development Kit (EM Configurator): All versions
MELSOFT Navigator: All versions
MH11 SettingTool Version2: All versions
MI Configurator: All versions
MT Works2: All versions
MX Component: All versions
Network Interface Board CC IE Control utility: All versions
Network Interface Board CC IE Field Utility: All versions
Network Interface Board CC-Link Ver.2 Utility: All versions
Network Interface Board MNETH utility: All versions
PX Developer: All versions
RT ToolBox2: All versions
RT ToolBox3: All versions
SLMP Data Collector: All versions
CPE2.3https://jvn.jp/vu/JVNVU92330101/index.html
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-021_en.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.