Headline
Mitsubishi Electric Multiple FA Engineering Software Products
View CSAF
- EXECUTIVE SUMMARY CVSS v3 6.0 ATTENTION: Low attack complexity Vendor: Mitsubishi Electric Equipment: Multiple FA Engineering Software Products Vulnerabilities: Improper Privilege Management, Uncontrolled Resource Consumption, Out-of-bounds Write, Improper Privilege Management
- RISK EVALUATION Successful exploitation of these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition and/or to gain Windows system privileges and execute arbitrary commands.
- TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Mitsubishi Electric reports the following versions of FA Engineering Software Products are affected: CPU Module Logging Configuration Tool: All versions CSGL (GX Works2 connection configuration): All versions CW Configurator: All versions Data Transfer: All versions Data Transfer Classic: All versions EZSocket (communication middleware product for Mitsubishi Electric partner companies): All versions FR Configurator SW3: All versions FR Configurator2: All versions GENESIS64: All versions GT Designer3 Version1 (GOT1000): All versions GT Designer3 Version1 (GOT2000): All versions GT SoftGOT1000 Version3: All versions GT SoftGOT2000 Version1: All versions GX Developer: All versions GX LogViewer: All versions GX Works2: All versions GX Works3: All versions iQ Works (MELSOFT Navigator): All versions MI Configurator: All versions Mitsubishi Electric Numerical Control Device Communication Software (FCSB1224): All versions MR Configurator (SETUP221): All versions MR Configurator2: All versions MRZJW3-MC2-UTL: All versions MX Component: All versions MX OPC Server DA/UA (Software packaged with MC Works64): All versions PX Developer/Monitor Tool: All versions RT ToolBox3: All versions RT VisualBox: All versions Setting/monitoring tools for the C Controller module (SW4PVC-CCPU): All versions SW0DNC-MNETH-B: All versions SW1DNC-CCBD2-B: All versions SW1DNC-CCIEF-J: All versions SW1DNC-CCIEF-B: All versions SW1DNC-MNETG-B: All versions SW1DNC-QSCCF-B: All versions SW1DND-EMSDK-B All versions 3.2 Vulnerability Overview 3.2.1 Improper Privilege Management CWE-269 If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to gain Windows system privileges and execute arbitrary commands. CVE-2023-51776 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N). A CVSS v4 score has also been calculated for CVE-2023-51776. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N). 3.2.2 Uncontrolled Resource Consumption CWE-400 If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition. CVE-2023-51777 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H). A CVSS v4 score has also been calculated for CVE-2023-51777. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N). 3.2.3 Out-of-bounds Write CWE-787 If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition. CVE-2023-51778 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H). A CVSS v4 score has also been calculated for CVE-2023-51778. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N). 3.2.4 Uncontrolled Resource Consumption CWE-400 If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition. CVE-2024-22102 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H). A CVSS v4 score has also been calculated for CVE-2024-22102. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N). 3.2.5 Out-of-bounds Write CWE-787 If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition. CVE-2024-22103 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H). A CVSS v4 score has also been calculated for CVE-2024-22103. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N). 3.2.6 Out-of-bounds Write CWE-787 If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition. CVE-2024-22104 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H). A CVSS v4 score has also been calculated for CVE-2024-22104. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N). 3.2.7 Uncontrolled Resource Consumption CWE-400 If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition. CVE-2024-22105 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H). A CVSS v4 score has also been calculated for CVE-2024-22105. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N). 3.2.8 Improper Privilege Management CWE-269 If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition and/or to gain Windows system privileges and execute arbitrary commands. CVE-2024-22106 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.0 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H). A CVSS v4 score has also been calculated for CVE-2024-22106. A base score of 4.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N). 3.2.9 Improper Privilege Management CWE-269 If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to gain Windows system privileges and execute arbitrary commands. CVE-2024-25086 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N). A CVSS v4 score has also been calculated for CVE-2024-25086. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N). 3.2.10 Uncontrolled Resource Consumption CWE-400 If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition. CVE-2024-25087 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H). A CVSS v4 score has also been calculated for CVE-2024-25087. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N). 3.2.11 Improper Privilege Management CWE-269 If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to gain Windows system privileges and execute arbitrary commands. CVE-2024-25088 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N). A CVSS v4 score has also been calculated for CVE-2024-25088. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N). 3.2.12 Improper Privilege Management CWE-269 If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to gain Windows system privileges and execute arbitrary commands. CVE-2024-26314 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N). A CVSS v4 score has also been calculated for CVE-2024-26314. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Japan 3.4 RESEARCHER Jongseong Kim, Byunghyun Kang, Sangjun Park, Yunjin Park, Kwon Yul, and Seungchan Kim reported these vulnerabilities to Mitsubishi Electric.
- MITIGATIONS Mitsubishi Electric recommends that users take the following mitigation measures to minimize the risk of exploiting these vulnerabilities: Restrict physical access to the computer using the product. Install an antivirus software in your computer using the affected product. Don’t open untrusted files or click untrusted links. For additional information see Mitsubishi Electric advisory 2024-001. CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely. These vulnerabilities have a high attack complexity.
- UPDATE HISTORY May 14, 2024: Initial Publication