Vulnerability identifier: #VU32955
Vulnerability risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-264
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
CPU Module Logging Configuration Tool
Client/Desktop applications /
Software for system administration
CW Configurator
Client/Desktop applications /
Software for system administration
Mitsubishi Electric FR Configurator2
Client/Desktop applications /
Software for system administration
GT Designer3
Client/Desktop applications /
Software for system administration
GX LogViewer
Client/Desktop applications /
Software for system administration
GX Works2
Client/Desktop applications /
Software for system administration
GX Works3
Client/Desktop applications /
Software for system administration
M_CommDTM-HART
Client/Desktop applications /
Software for system administration
M_CommDTM-IO-Link
Client/Desktop applications /
Software for system administration
MELFA-Works
Client/Desktop applications /
Software for system administration
MELSOFT FieldDeviceConfigurator
Client/Desktop applications /
Software for system administration
MELSOFT Navigator
Client/Desktop applications /
Software for system administration
MI Configurator
Client/Desktop applications /
Software for system administration
MR Configurator2
Client/Desktop applications /
Software for system administration
MT Works2
Client/Desktop applications /
Software for system administration
RT ToolBox2
Client/Desktop applications /
Software for system administration
RT ToolBox3
Client/Desktop applications /
Software for system administration
Data Transfer
Other software /
Other software solutions
EZSocket
Other software /
Other software solutions
MH11 SettingTool Version2
Other software /
Other software solutions
Setting/monitoring tools for the C Controller module
Other software /
Other software solutions
GT SoftGOT1000 Version3
Server applications /
SCADA systems
GT SoftGOT2000 Version1
Server applications /
SCADA systems
MELSEC WinCPU Setting Utility
Operating systems & Components /
Operating system package or component
MELSOFT EM Software Development Kit
Hardware solutions /
Firmware
Motorizer
Client/Desktop applications /
Other client software
PX Developer
Client/Desktop applications /
Other client software
MX Component
Universal components / Libraries /
Libraries used by multiple products
Network Interface Board CC IE Control utility
Server applications /
Other server solutions
Network Interface Board CC IE Field Utility
Server applications /
Other server solutions
Network Interface Board CC-Link Ver.2 Utility
Server applications /
Other server solutions
Network Interface Board MNETH utility
Server applications /
Other server solutions
Vendor: Mitsubishi Electric
Description
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions, which leads to security restrictions bypass and privilege escalation.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
CPU Module Logging Configuration Tool: 1.100E
CW Configurator: 1.010L
Data Transfer: 3.40S
EZSocket: 4.5
Mitsubishi Electric FR Configurator2: 1.22Y
GT Designer3: 1.235V
GT SoftGOT1000 Version3: All versions
GT SoftGOT2000 Version1: 1.235V
GX LogViewer: 1.100E
GX Works2: 1.592S
GX Works3: 1.063R
M_CommDTM-HART: 1.00A
M_CommDTM-IO-Link: All versions
MELFA-Works: 4.3
MELSEC WinCPU Setting Utility: All versions
MELSOFT EM Software Development Kit: 1.010L
MELSOFT FieldDeviceConfigurator: 1.03D
MELSOFT Navigator: 2.62Q
MH11 SettingTool Version2: 2.002C
MI Configurator: All versions
Motorizer: 1.005F
MR Configurator2: 1.105K
MT Works2: 1.156N
MX Component: 4.19V
Network Interface Board CC IE Control utility: All versions
Network Interface Board CC IE Field Utility: All versions
Network Interface Board CC-Link Ver.2 Utility: All versions
Network Interface Board MNETH utility: All versions
PX Developer: 1.52E
RT ToolBox2: 3.72A
RT ToolBox3: 1.70Y
Setting/monitoring tools for the C Controller module: All versions
External links
http://ics-cert.us-cert.gov/advisories/icsa-20-212-02
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.