Mitsubishi Electric FA Engineering Software (Update A)

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 9.3
• ATTENTION: Low attack complexity
• Vendor: Mitsubishi Electric
• Equipment: FA Engineering Software Products
• Vulnerability: Incorrect Default Permissions

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a local attacker to execute code, which could result in information disclosure, tampering with and deletion of information, or a denial-of-service (DoS) condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Mitsubishi Electric FA Engineering Software Products are affected:

• AL-PCS/WIN-E: All versions
• CPU Module Logging Configuration Tool: All versions
• EZSocket: All versions
• FR Configurator2: All versions
• FX Configurator-EN: All versions
• FX Configurator-EN-L: All versions
• FX Configurator-FP: All versions
• GT Designer3 Version1(GOT1000): All versions
• GT Designer3 Version1(GOT2000): All versions
• GT SoftGOT1000 Version3: All versions
• GT SoftGOT2000 Version1: All versions
• GX LogViewer: All versions
• GX Works2: All versions
• GX Works3: All versions
• MELSOFT FieldDeviceConfigurator: All versions
• MELSOFT iQ AppPortal: All versions
• MELSOFT MaiLab: All versions
• MELSOFT Navigator: All versions
• MELSOFT Update Manager: All versions
• MX Component: All versions
• MX Sheet: All versions
• PX Developer: All versions
• RT ToolBox3: All versions
• RT VisualBox: All versions
• Data Transfer: All versions
• Data Transfer Classic: All versions

3.2 Vulnerability Overview

3.2.1 INCORRECT DEFAULT PERMISSIONS CWE-276

In all versions of the affected software products, code execution is possible due to permission issues. This could allow an attacker to cause information disclosure, tampering with and deletion of information, or a denial-of-service (DoS) condition.

CVE-2023-4088 has been assigned to this vulnerability. A CVSS v3 base score of 9.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

01dGu0 of ZHEJIANG QIAN INFORMATION & TECHNOLOGY CO., LTD reported this vulnerability to Mitsubishi Electric.

4. MITIGATIONS

Mitsubishi Electric recommends that customers take the following mitigation measures to minimize the risk of exploiting this vulnerability:

• Install the affected products in their default installation locations. If users install CPU Module Logging Configuration Tool, EZSocket, FR Configurator2, GT Designer3 Version1(GOT2000), GT SoftGOT1000 Version3, GT SoftGOT2000 Version1, GX LogViewer, GX Works2, GX Works3, MELSOFT FieldDeviceConfigurator, MELSOFT Navigator, MX Component, RT ToolBox3 or Data Transfer, install the following versions or later, because products with versions prior to the following are vulnerable to CVE-2020-14496 and the mitigation measures are not effective. CPU Module Logging Configuration Tool: Ver 1.106K and later, EZSocket: Ver 4.6 and later, FR Configurator2: Ver 1.23Z and later, GT Designer3 Version1(GOT2000): Ver 1.236W and later, GT SoftGOT1000 Version3: Ver 3.245F and later, GT SoftGOT2000 Version1: Ver 1.236W and later, GX LogViewer: Ver 1.106K and later, GX Works2: Ver 1.595V and later, GX Works3: Ver 1.065T and later, MELSOFT FieldDeviceConfigurator: Ver 1.04E and later, MELSOFT Navigator: Ver 2.70Y and later, MX Component: Ver 4.20W and later, RT ToolBox3: Ver 1.80J and later, Data Transfer: Ver 3.41T and later.
• If it is necessary to change the installation folder from the default, select a folder that only users with Administrator privileges have permission to change.
• Install an anti-virus software on the computer using the affected product.
• Use your computer with the affected product within the LAN and block remote login from untrusted networks, hosts, and users.
• When connecting your computer with the affected product to the Internet, use a firewall, virtual private network (VPN),
  etc., and allow only trusted users to remote login.
• Don't open untrusted files or click untrusted links.

For more information, see the Mitsubishi Electric security advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• September 26, 2023: Initial Publication
• July 09, 2024: Update A - Expanded affected products and updated mitigations section

• Mitsubishi Electric