1) Missing Synchronization

EUVDB-ID: #VU55382

Risk: Medium

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-20592

CWE-ID: CWE-820 - Missing Synchronization

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of servise (DoS) attack.

The vulnerability exists due to the affected software utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource. A remote attacker can cause a denial of service condition on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

GOT2000 GT27 model: 01.19.000 - 01.39.010

GOT2000 GT25 model: 01.19.000 - 01.39.010

GOT2000 GT23 model: 01.19.000 - 01.39.010

GT SoftGOT2000: 1.170C - 1.256S

---

CPE2.3

• cpe:2.3:a:mitsubishi_electric:gt27_model:01.19.000:*:*:*:*:*:*:*
• Full software list in CPE2.3 format available after registration.

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-208-02
http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-007_en.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.