ICS Advisory (ICSA-21-278-01)

Mitsubishi Electric GOT and Tension Controller (Update A)

Click to Tweet.
Click to send to Facebook.
Click to Share.

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.


 

1. EXECUTIVE SUMMARY

  • CVSS v3 7.5
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Mitsubishi Electric
  • Equipment: GOT and Tension Controller
  • Vulnerabilities: Improper Handling of Exceptional Conditions, Improper Input Validation

--------- Begin Update A Part 1 of 2 ---------

Mitsubishi Electric PSIRT has informed CISA that further research has shown the vulnerabilities listed in this advisory do not impact the devices listed below. Mitsubishi Electric will be removing its vulnerability notice from its website on April 7, 2022. Any questions regarding this new information should be directed to Mitsubishi Electric.

--------- End Update A Part 1 of 2 ---------

2. UPDATE INFORMATION

This updated advisory is a follow-up to the original advisory titled ICSA-21-278-01 Mitsubishi Electric GOT and Tension Controller that was published October 5, 2021, to the ICS webpage on www.cisa.gov/uscert.

3. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition by sending specially crafted packets.

4. TECHNICAL DETAILS

4.1 AFFECTED PRODUCTS

The following Mitsubishi Electric products are affected:

  • GOT2000 Series GT21 Model
    • GT2107-WTBD: All versions
    • GT2107-WTSD: All versions
    • GT2104-RTBD: All versions
    • GT2104-PMBD: All versions
    • GT2103-PMBD: All versions
  • GOT SIMPLE Series GS21 Model
    • GS2110-WTBD: All versions
    • GS2107-WTBD: All versions
    • GS2110-WTBD-N: All versions
    • GS2107-WTBD-N: All versions
  • Tension Controller
    • LE7-40GU-L: All versions

4.2 VULNERABILITY OVERVIEW

4.2.1    IMPROPER HANDLING OF EXCEPTIONAL CONDITIONS CWE-755

An attacker could send specially crafted packets cause to cause several different denial-of-service conditions due to the improper handling of exceptional conditions.

CVE-2021-20602 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

4.2.2    IMPROPER INPUT VALIDATION CWE-20

An attacker could send specially crafted packets cause to cause several different denial-of-service conditions in the TCP-IP protocol stack of GOT and Tension Controller.

CVE-2021-20603 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

4.2.3    IMPROPER INPUT VALIDATION CWE-20

An attacker could send specially crafted packets cause to cause several different denial-of-service conditions in the TCP-IP protocol stack of GOT and Tension Controller.

CVE-2021-20604 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

4.2.4    IMPROPER INPUT VALIDATION CWE-20

An attacker could send specially crafted packets cause to cause several different denial-of-service conditions in the TCP-IP protocol stack of GOT and Tension Controller.

CVE-2021-20605 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

4.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Japan

4.4 RESEARCHER

Mitsubishi Electric reported these vulnerabilities to CISA.

5. MITIGATIONS

--------- Begin Update A Part 2 of 2 ---------

Mitsubishi Electric PSIRT has informed CISA that further research has shown the vulnerabilities listed in this advisory do not impact the devices listed below and no mitigation access is required. Mitsubishi Electric will be removing its vulnerability notice from its website on April 7, 2022. Any questions regarding this new information should be directed to Mitsubishi Electric support.

--------- End Update A Part 2 of 2 ---------


Contact Information

For any questions related to this report, please contact the CISA at:

Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870

For industrial control systems cybersecurity information:  https://us-cert.cisa.gov/ics 
or incident reporting:  https://us-cert.cisa.gov/report

CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.

This product is provided subject to this Notification and this Privacy & Use policy.

Please share your thoughts.

We recently updated our anonymous product survey; we'd welcome your feedback.