Vulnerability identifier: #VU29430
Vulnerability risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-400
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
CPU Module Logging Configuration Tool
Client/Desktop applications /
Software for system administration
CW Configurator
Client/Desktop applications /
Software for system administration
EM Software Development Kit
Client/Desktop applications /
Software for system administration
GT Designer3
Client/Desktop applications /
Software for system administration
GX LogViewer
Client/Desktop applications /
Software for system administration
GX Works2
Client/Desktop applications /
Software for system administration
GX Works3
Client/Desktop applications /
Software for system administration
M_CommDTM-HART
Client/Desktop applications /
Software for system administration
M_CommDTM-IO-Link
Client/Desktop applications /
Software for system administration
MELFA-Works
Client/Desktop applications /
Software for system administration
MELSEC-L Flexible High-Speed I/O Control Module Configuration Tool
Client/Desktop applications /
Software for system administration
MELSOFT FieldDeviceConfigurator
Client/Desktop applications /
Software for system administration
MELSOFT iQ AppPortal
Client/Desktop applications /
Software for system administration
MELSOFT Navigator
Client/Desktop applications /
Software for system administration
MI Configurator
Client/Desktop applications /
Software for system administration
Motion Control Setting
Client/Desktop applications /
Software for system administration
MR Configurator2
Client/Desktop applications /
Software for system administration
MT Works2
Client/Desktop applications /
Software for system administration
RT ToolBox2
Client/Desktop applications /
Software for system administration
RT ToolBox3
Client/Desktop applications /
Software for system administration
Vendor: Mitsubishi Electric
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
CPU Module Logging Configuration Tool: 1.94Y
CW Configurator: 1.010L
EM Software Development Kit: 1.010L
GT Designer3: 1.221F
GX LogViewer: 1.96A
GX Works2: 1.586L
GX Works3: 1.058L
M_CommDTM-HART: 1.00A
M_CommDTM-IO-Link: 1.02C
MELFA-Works: 4.3
MELSEC-L Flexible High-Speed I/O Control Module Configuration Tool: 1.004E
MELSOFT FieldDeviceConfigurator: 1.03D
MELSOFT iQ AppPortal: 1.11M
MELSOFT Navigator: 1.003D
MI Configurator: 1.003D
Motion Control Setting: 1.005F
MR Configurator2: 1.72A
MT Works2: 1.156N
RT ToolBox2: 3.72A
RT ToolBox3: 1.50C
External links
http://jvn.jp/en/vu/JVNVU90307594/index.html
http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-004_en.pdf
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.