Published:2020/06/30  Last Updated:2020/07/01

JVNVU#90307594
Multiple vulnerabilities in Mitsubishi Electoric FA Engineering Software

Overview

Multiple Mitsubishi Electoric FA Engineering Software contain multiple vulnerabilities due to the issues in processing XML.

Products Affected

  • CPU Module Logging Configuration Tool Ver. 1.94Y and earlier
  • CW Configurator Ver. 1.010L and earlier
  • EM Software Development Kit (EM Configurator) Ver. 1.010L and earlier
  • GT Designer3 (GOT2000) Ver. 1.221F and earlier
  • GX LogViewer Ver. 1.96A and earlier
  • GX Works2 Ver. 1.586L and earlier
  • GX Works3 Ver. 1.058L and earlier
  • M_CommDTM-HART Ver. 1.00A
  • M_CommDTM-IO-Link Ver. 1.02C and earlier
  • MELFA-Works Ver. 4.3 and earlier
  • MELSEC-L Flexible High-Speed I/O Control Module Configuration Tool Ver.1.004E and earlier
  • MELSOFT FieldDeviceConfigurator Ver. 1.03D and earlier
  • MELSOFT iQ AppPortal Ver. 1.11M and earlier
  • MELSOFT Navigator Ver. 2.58L and earlier
  • MI Configurator Ver. 1.003D and earlier
  • Motion Control Setting Ver. 1.005F and earlier
  • MR Configurator2 Ver. 1.72A and earlier
  • MT Works2 Ver. 1.156N and earlier
  • RT ToolBox2 Ver. 3.72A and earlier
  • RT ToolBox3 Ver. 1.50C and earlier

For more information, refer to the information provided by the developer.

Description

Multiple Mitsubishi Electoric FA Engineering Software contain multiple vulnerabilities listed below due to the issues in processing XML.

  • Improper Restriction of XML External Entity Reference (XXE) (CWE-611) - CVE-2020-5602
    CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score: 4.0
  • Uncontrolled Resource Consumption (CWE-400) - CVE-2020-5603
    CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Base Score: 6.2

Impact

The impact of each vulnerability differs, but if a user uses a specially crafted project file or setttings data file, the possible impacts may be as follows.

  • The file in the computer where the affected product is running may be sent out - CVE-2020-5602
  • The affected product may fall into a denial of service (DoS) condition - CVE-2020-5603

Solution

Update the Software
Apply the appropriate software update according to the information provided by the developer.

  • CPU Module Logging Configuration Tool Ver. 1.100E and later
  • CW Configurator Ver. 1.011M  and later
  • EM Software Development Kit (EM Configurator) Ver. 1.015R  and later
  • GT Designer3(GOT2000) Ver. 1.225K  and later
  • GX LogViewer Ver. 1.100E  and later
  • GX Works2 Ver. 1.590Q  and later
  • GX Works3 Ver. 1.060N  and later
  • M_CommDTM-HART Ver. 1.01B  and later
  • M_CommDTM-IO-Link Ver. 1.03D  and later
  • MELFA-Works Ver. 4.4  and later
  • MELSEC-L Flexible High-Speed I/O Control Module Configuration Tool Ver.1.005F  and later
  • MELSOFT FieldDeviceConfigurator Ver. 1.04E  and later
  • MELSOFT iQ AppPortal Ver. 1.14Q  and later
  • MELSOFT Navigator Ver. 2.62Q  and later
  • MI Configurator Ver. 1.004E  and later
  • Motion Control Setting Ver. 1.006G  and later
  • MR Configurator2 Ver. 1.100E  and later
  • MT Works2 Ver. 1.160S  and later
  • RT ToolBox2 Ver. 3.73B  and later
  • RT ToolBox3 Ver. 1.60N  and later
Apply Workaround
The developer states that if a user cannot update the affected product to the latest version, applying the following workarounds may mitigate the impacts of these vulnerabilities.
  • When receiving a project file and/or data setting file which is to be used on the affected product via email, a USB memory, and a file server, be sure to receive it via a ligitimate and appropriate route andd/or source.  Be sure to check there is no suspicious file included.
  • When operating the FA Engineering Software, be sure to operate it with a non-administrative accout.
  • Install and use an anti-virus software in the computer where the FA Engineering Software runs.
  • Restrict the connection to network from all the control system device and system, and control the access from unsrusted networks or hosts.
  • Set up firewall to protect the control system networks and remote devices, and disconnect them from the business network.
  • Use VPN when a remote access is necessary.
For more information, refer to the information provided by the developer.

References

  1. ICS Advisory (ICSA-20-182-02)
    Mitsubishi Electric Factory Automation Engineering Software Products

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Mitsubishi Electric Corporation reported these vulnerabilities to JPCERT/CC to notify users of the solution through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2020-5602
CVE-2020-5603
JVN iPedia

Update History

2020/07/01
Added ICS Advisory link to [References] section.