CVE-2020-14523

Description

Multiple Mitsubishi Electric Factory Automation products have a vulnerability that allows an attacker to execute arbitrary code.

Affected (20)

Products: Mitsubishielectric: Cw Configurator, Fr Configurator2, Gx Works2, Gx Works3, Iu Configuration Tool, Iu Developer2, Melsoft Iq Appportal, Melsoft Navigator, Mi Configurator, Mr Configurator2, Mt Works2, Mx Component, Rt Toolbox3, Rd78g4 Firmware, Rd78g8 Firmware, Rd78g16 Firmware, Rd78g32 Firmware, Rd78g64 Firmware, Rd78ghv Firmware, Rd78ghw Firmware

Configuration A

13 vulnerable

Vulnerable Software	Affected Versions
Mitsubishielectric Cw Configurator	Up to 1.010l
Mitsubishielectric Fr Configurator2	Up to 1.22y
Mitsubishielectric Gx Works2	Up to 1.595v
Mitsubishielectric Gx Works3	Up to 1.063r
Mitsubishielectric Iu Configuration Tool	Up to 1.04
Mitsubishielectric Iu Developer2	Up to 1.08
Mitsubishielectric Melsoft Iq Appportal	Up to 1.17t
Mitsubishielectric Melsoft Navigator	Up to 2.70y
Mitsubishielectric Mi Configurator	All versions
Mitsubishielectric Mr Configurator2	Up to 1.110q
Mitsubishielectric Mt Works2	Up to 1.156n
Mitsubishielectric Mx Component	Up to 4.20w
Mitsubishielectric Rt Toolbox3	Up to 1.70y

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Mitsubishielectric Rd78g4 Firmware	Up to 10

Running on/with	Platform Versions
Mitsubishielectric Rd78g4	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Mitsubishielectric Rd78g8 Firmware	Up to 10

Running on/with	Platform Versions
Mitsubishielectric Rd78g8	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Mitsubishielectric Rd78g16 Firmware	Up to 10

Running on/with	Platform Versions
Mitsubishielectric Rd78g16	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Mitsubishielectric Rd78g32 Firmware	Up to 10

Running on/with	Platform Versions
Mitsubishielectric Rd78g32	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Mitsubishielectric Rd78g64 Firmware	Up to 10

Running on/with	Platform Versions
Mitsubishielectric Rd78g64	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Mitsubishielectric Rd78ghv Firmware	Up to 10

Running on/with	Platform Versions
Mitsubishielectric Rd78ghv	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Mitsubishielectric Rd78ghw Firmware	Up to 10

Running on/with	Platform Versions
Mitsubishielectric Rd78ghw	All versions

Related CWEs

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (6)

https://jvn.jp/vu/JVNVU90224831/

Source: ics-cert@hq.dhs.gov

Third Party Advisory

https://www.cisa.gov/uscert/ics/advisories/icsa-20-212-03

Source: ics-cert@hq.dhs.gov

PatchThird Party AdvisoryUS Government Resource

https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-008_en.pdf

Source: ics-cert@hq.dhs.gov

Vendor Advisory

https://jvn.jp/vu/JVNVU90224831/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.cisa.gov/uscert/ics/advisories/icsa-20-212-03

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party AdvisoryUS Government Resource

https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-008_en.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Description

Affected (20)

Related CWEs

References (6)

Timeline