ICS Advisory

Mitsubishi Electric GOT and Tension Controller (Update A)

Last Revised
Alert Code
ICSA-21-278-01

1. EXECUTIVE SUMMARY

  • CVSS v3 7.5
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Mitsubishi Electric
  • Equipment: GOT and Tension Controller
  • Vulnerabilities: Improper Handling of Exceptional Conditions, Improper Input Validation

--------- Begin Update A Part 1 of 2 ---------

Mitsubishi Electric PSIRT has informed CISA that further research has shown the vulnerabilities listed in this advisory do not impact the devices listed below. Mitsubishi Electric will be removing its vulnerability notice from its website on April 7, 2022. Any questions regarding this new information should be directed to Mitsubishi Electric.

--------- End Update A Part 1 of 2 ---------

2. UPDATE INFORMATION

This updated advisory is a follow-up to the original advisory titled ICSA-21-278-01 Mitsubishi Electric GOT and Tension Controller that was published October 5, 2021, to the ICS webpage on www.cisa.gov/uscert.

3. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition by sending specially crafted packets.

4. TECHNICAL DETAILS

4.1 AFFECTED PRODUCTS

The following Mitsubishi Electric products are affected:

  • GOT2000 Series GT21 Model
    • GT2107-WTBD: All versions
    • GT2107-WTSD: All versions
    • GT2104-RTBD: All versions
    • GT2104-PMBD: All versions
    • GT2103-PMBD: All versions
  • GOT SIMPLE Series GS21 Model
    • GS2110-WTBD: All versions
    • GS2107-WTBD: All versions
    • GS2110-WTBD-N: All versions
    • GS2107-WTBD-N: All versions
  • Tension Controller
    • LE7-40GU-L: All versions

4.2 VULNERABILITY OVERVIEW

4.2.1    IMPROPER HANDLING OF EXCEPTIONAL CONDITIONS CWE-755

An attacker could send specially crafted packets cause to cause several different denial-of-service conditions due to the improper handling of exceptional conditions.

CVE-2021-20602 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

4.2.2    IMPROPER INPUT VALIDATION CWE-20

An attacker could send specially crafted packets cause to cause several different denial-of-service conditions in the TCP-IP protocol stack of GOT and Tension Controller.

CVE-2021-20603 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

4.2.3    IMPROPER INPUT VALIDATION CWE-20

An attacker could send specially crafted packets cause to cause several different denial-of-service conditions in the TCP-IP protocol stack of GOT and Tension Controller.

CVE-2021-20604 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

4.2.4    IMPROPER INPUT VALIDATION CWE-20

An attacker could send specially crafted packets cause to cause several different denial-of-service conditions in the TCP-IP protocol stack of GOT and Tension Controller.

CVE-2021-20605 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

4.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Japan

4.4 RESEARCHER

Mitsubishi Electric reported these vulnerabilities to CISA.

5. MITIGATIONS

--------- Begin Update A Part 2 of 2 ---------

Mitsubishi Electric PSIRT has informed CISA that further research has shown the vulnerabilities listed in this advisory do not impact the devices listed below and no mitigation access is required. Mitsubishi Electric will be removing its vulnerability notice from its website on April 7, 2022. Any questions regarding this new information should be directed to Mitsubishi Electric support.

--------- End Update A Part 2 of 2 ---------

This product is provided subject to this Notification and this Privacy & Use policy.

Vendor

Mitsubishi Electric