Missing Synchronization in Mitsubishi Electric Server applications

#VU55382 Missing Synchronization

Published: 2021-07-28

Vulnerability identifier: #VU55382

Vulnerability risk: Medium

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-20592

CWE-ID: CWE-820

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
GOT2000 GT27 model
Server applications / SCADA systems
GOT2000 GT25 model
Server applications / SCADA systems
GOT2000 GT23 model
Server applications / SCADA systems
GT SoftGOT2000
Server applications / SCADA systems

Vendor: Mitsubishi Electric

Description

The vulnerability allows a remote attacker to perform a denial of servise (DoS) attack.

The vulnerability exists due to the affected software utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource. A remote attacker can cause a denial of service condition on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

GOT2000 GT27 model: 01.19.000 - 01.39.010

GOT2000 GT25 model: 01.19.000 - 01.39.010

GOT2000 GT23 model: 01.19.000 - 01.39.010

GT SoftGOT2000: 1.170C - 1.256S

CPE

External links
http://ics-cert.us-cert.gov/advisories/icsa-21-208-02
http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-007_en.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Denial of service in Mitsubishi Electric GOT2000 series and GT SoftGOT2000