SB2022012108 - Multiple vulnerabilities in Mitsubishi Electric MC Works64

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Incomplete List of Disallowed Inputs (CVE-ID: CVE-2022-23128)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to incomplete list of disallowed inputs in the FrameWorX Server. A remote attacker can open a communication channel to the WebSocket endpoint and bypass GENESIS64 /MC Works64 security.

2) Out-of-bounds read (CVE-ID: CVE-2022-23130)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition in the SQL query engine. A remote administrator on the local network can trigger out-of-bounds read error and cause a denial of service condition on the system.

Remediation

Install update from vendor's website.

References

• https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01"
• https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01</a></p><p>
• https://www.mitsubishielectric.com/en/psirt/vulnerability/index.html</p><p><br></p>