#VU71302 Predictable Seed in Pseudo-Random Number Generator (PRNG) in Mitsubishi Electric products - CVE-2022-40267

CSH
CYBERSECURITY HELP
Sign In REGISTER
 
Main Vulnerability Database Vulnerabilities #VU71302

#VU71302 Predictable Seed in Pseudo-Random Number Generator (PRNG) in Mitsubishi Electric products - CVE-2022-40267

Published: January 18, 2023 / Updated: April 11, 2023


Vulnerability identifier: #VU71302
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2022-40267
CWE-ID: CWE-337
Exploitation vector: Remote access
Exploit availability: Public exploit is available
Vulnerable software:
MELSEC iQ-F FX5U
MELSEC iQ-F FX5UC
MELSEC iQ-F FX5UC-32MT/DS-TS
MELSEC iQ-F FX5UC-32MT/DSS-TS
MELSEC iQ-F FX5UC-32MR/DS-TS
MELSEC iQ-R 00 CPU
MELSEC iQ-R 01 CPU
MELSEC iQ-R 02 CPU
MELSEC iQ-R 04 (EN) CPU
MELSEC iQ-R 08 (EN) CPU
MELSEC iQ-R 16 (EN) CPU
MELSEC iQ-R 32 (EN) CPU
MELSEC iQ-R 120 (EN) CPU
Software vendor:
Mitsubishi Electric

Description

The vulnerability allows a remote attacker to compromise the system.

The vulnerability exists due to predictable seed in the pseudo-random number generator within the WEB server function. A remote attacker can bypass authorization on the target system.

This vulnerability affects the following products:

  • MELSEC iQ-F Series with serial number 17X**** or later:  
    • FX5U-xMy/z x=32,64,80, y=T,R, z=ES,DS,ESS,DSS: Versions 1.280 and prior 
    • FX5UC-xMy/z x=32,64,96 y=T, z=D,DSS: Versions 1.280 and prior 
  • MELSEC iQ-F Series with serial number 179**** and prior:  
    • FX5U-xMy/z x=32,64,80, y=T,R, z=ES,DS,ESS,DSS: Versions 1.074 and prior 
    • FX5UC-xMy/z x=32,64,96 y=T, z=D,DSS: Versions 1.074 and prior 
  • MELSEC iQ-F Series FX5UC-32MT/DS-TS, FX5UC-32MT/DSS-TS, FX5UC-32MR/DS-TS: Versions 1.280 and prior 
  • MELSEC iQ-R Series R00/01/02CPU: All versions 
  • MELSEC iQ-R Series R04/08/16/32/ 120(EN)CPU: All versions 

Remediation

Install updates from vendor's website.

External links