Multiple vulnerabilities in Mitsubishi Electric FA Engineering Software products



Published: 2023-12-08
Risk Low
Patch available NO
Number of vulnerabilities 2
CVE-ID CVE-2022-21151
CVE-2021-33149
CWE-ID CWE-200
CWE-203
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe 		MELSEC Q Series Q26DHCCPU-LS
Hardware solutions / Firmware

MELSEC Q Series Q24DHCCPU-LS
Hardware solutions / Firmware

MELSEC Q Series Q24DHCCPU-VG
Hardware solutions / Firmware

MELSEC Q Series Q24DHCCPU-V
Hardware solutions / Firmware

MELSEC iQ-R Series R102WCPU-W
Hardware solutions / Firmware

MELIPC Series MI3315G-W
Hardware solutions / Firmware

MELIPC Series MI3321G-W
Hardware solutions / Firmware

MELIPC Series MI1002-W
Hardware solutions / Firmware

MELIPC Series MI2012-W
Hardware solutions / Firmware

MELIPC Series MI5122-VW
Hardware solutions / Firmware

Vendor Mitsubishi Electric

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Information disclosure

EUVDB-ID: #VU63348

Risk: Low

CVSSv3.1: 5.5 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:U/RL:U/RC:C]

CVE-ID: CVE-2022-21151

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to an error during processor optimization removal or modification of security-critical code. A local privileged user can gain access to potentially sensitive information.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

MELSEC Q Series Q26DHCCPU-LS: All versions

MELSEC Q Series Q24DHCCPU-LS: All versions

MELSEC Q Series Q24DHCCPU-VG: All versions

MELSEC Q Series Q24DHCCPU-V: All versions

MELSEC iQ-R Series R102WCPU-W: All versions

MELIPC Series MI3315G-W: All versions

MELIPC Series MI3321G-W: All versions

MELIPC Series MI1002-W: All versions

MELIPC Series MI2012-W: All versions

MELIPC Series MI5122-VW: All versions

External links

http://www.cisa.gov/news-events/ics-advisories/icsa-23-341-01
http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-017_en.pdf


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Observable discrepancy

EUVDB-ID: #VU84030

Risk: Low

CVSSv3.1: 2.3 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C]

CVE-ID: CVE-2021-33149

CWE-ID: CWE-203 - Observable discrepancy

Exploit availability: No

Description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to the observable behavioral discrepancy issue. A local user can gain unauthorized access to sensitive information on the system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

MELSEC Q Series Q26DHCCPU-LS: All versions

MELSEC Q Series Q24DHCCPU-LS: All versions

MELSEC Q Series Q24DHCCPU-VG: All versions

MELSEC Q Series Q24DHCCPU-V: All versions

MELSEC iQ-R Series R102WCPU-W: All versions

MELIPC Series MI3315G-W: All versions

MELIPC Series MI3321G-W: All versions

MELIPC Series MI1002-W: All versions

MELIPC Series MI2012-W: All versions

MELIPC Series MI5122-VW: All versions

External links

http://www.cisa.gov/news-events/ics-advisories/icsa-23-341-01
http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-017_en.pdf


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###