Multiple vulnerabilities in Mitsubishi Electric FA Engineering Software Products
| Risk | High |
| Patch available | NO |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2023-6942 CVE-2023-6943 |
| CWE-ID | CWE-306 CWE-470 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
EZSocket Other software / Other software solutions FR Configurator2 Other software / Other software solutions GT Designer3 Version1(GOT1000) Other software / Other software solutions GT Designer3 Version1(GOT2000) Other software / Other software solutions MX OPC Server DA Other software / Other software solutions GX Works2 Client/Desktop applications / Software for system administration GX Works3 Client/Desktop applications / Software for system administration MELSOFT Navigator Client/Desktop applications / Software for system administration MT Works2 Client/Desktop applications / Software for system administration MX Component Universal components / Libraries / Libraries used by multiple products MX OPC Server UA Server applications / SCADA systems |
| Vendor | Mitsubishi Electric |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Missing Authentication for Critical Function
EUVDB-ID: #VU85933
Risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2023-6942
CWE-ID:
CWE-306 - Missing Authentication for Critical Function
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to missing authentication for critical function. A remote attacker can send specially crafted packets and bypass authentication.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsEZSocket: 3.0
FR Configurator2: All versions
GT Designer3 Version1(GOT1000): All versions
GT Designer3 Version1(GOT2000): All versions
GX Works2: 1.11M
GX Works3: All versions
MELSOFT Navigator: 1.04E
MT Works2: All versions
MX Component: 4.00A
MX OPC Server DA: All versions
MX OPC Server UA: All versions
External linkshttp://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-020_en.pdf
http://jvn.jp/vu/JVNVU95103362
http://www.cisa.gov/news-events/ics-advisories/icsa-24-030-02
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Unsafe reflection
EUVDB-ID: #VU85936
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2023-6943
CWE-ID:
CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to unsafe reflection. A remote attacker can call a function with a path to a malicious library while connected to the affected products and execute arbitrary code on the system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsEZSocket: 3.0
FR Configurator2: All versions
GT Designer3 Version1(GOT1000): All versions
GT Designer3 Version1(GOT2000): All versions
GX Works2: 1.11M
GX Works3: All versions
MELSOFT Navigator: 1.04E
MT Works2: All versions
MX Component: 4.00A
MX OPC Server DA: All versions
MX OPC Server UA: All versions
External linkshttp://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-020_en.pdf
http://jvn.jp/vu/JVNVU95103362
http://www.cisa.gov/news-events/ics-advisories/icsa-24-030-02
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
