Authorization bypass through user-controlled key in Mitsubishi Electric MELSEC iQ-R Series



Published: 2021-10-15
Risk High
Patch available NO
Number of vulnerabilities 1
CVE-ID CVE-2021-20599
CWE-ID CWE-639
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
MELSEC iQ-R 08 SFCPU
Hardware solutions / Firmware

MELSEC iQ-R 16 SFCPU
Hardware solutions / Firmware

MELSEC iQ-R 32 SFCPU
Hardware solutions / Firmware

MELSEC iQ-R 120 SFCPU
Hardware solutions / Firmware

MELSEC iQ-R 08 PSFCPU
Hardware solutions / Firmware

MELSEC iQ-R 16 PSFCPU
Hardware solutions / Firmware

MELSEC iQ-R 32 PSFCPU
Hardware solutions / Firmware

MELSEC iQ-R 120 PSFCPU
Hardware solutions / Firmware

Vendor Mitsubishi Electric

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Authorization bypass through user-controlled key

EUVDB-ID: #VU57377

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:U/RC:C]

CVE-ID: CVE-2021-20599

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exist due to insufficient access authorization. A remote attacker can log in to the CPU module by obtaining credentials other than password.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

MELSEC iQ-R 08 SFCPU: All versions

MELSEC iQ-R 16 SFCPU: All versions

MELSEC iQ-R 32 SFCPU: All versions

MELSEC iQ-R 120 SFCPU: All versions

MELSEC iQ-R 08 PSFCPU: All versions

MELSEC iQ-R 16 PSFCPU: All versions

MELSEC iQ-R 32 PSFCPU: All versions

MELSEC iQ-R 120 PSFCPU: All versions

External links

http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-011_en.pdf
http://us-cert.cisa.gov/ics/advisories/icsa-21-287-03


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###