JVNVU#90307594
Multiple vulnerabilities in Mitsubishi Electoric FA Engineering Software
Overview
Multiple Mitsubishi Electoric FA Engineering Software contain multiple vulnerabilities due to the issues in processing XML.
Products Affected
- CPU Module Logging Configuration Tool Ver. 1.94Y and earlier
- CW Configurator Ver. 1.010L and earlier
- EM Software Development Kit (EM Configurator) Ver. 1.010L and earlier
- GT Designer3 (GOT2000) Ver. 1.221F and earlier
- GX LogViewer Ver. 1.96A and earlier
- GX Works2 Ver. 1.586L and earlier
- GX Works3 Ver. 1.058L and earlier
- M_CommDTM-HART Ver. 1.00A
- M_CommDTM-IO-Link Ver. 1.02C and earlier
- MELFA-Works Ver. 4.3 and earlier
- MELSEC-L Flexible High-Speed I/O Control Module Configuration Tool Ver.1.004E and earlier
- MELSOFT FieldDeviceConfigurator Ver. 1.03D and earlier
- MELSOFT iQ AppPortal Ver. 1.11M and earlier
- MELSOFT Navigator Ver. 2.58L and earlier
- MI Configurator Ver. 1.003D and earlier
- Motion Control Setting Ver. 1.005F and earlier
- MR Configurator2 Ver. 1.72A and earlier
- MT Works2 Ver. 1.156N and earlier
- RT ToolBox2 Ver. 3.72A and earlier
- RT ToolBox3 Ver. 1.50C and earlier
For more information, refer to the information provided by the developer.
Description
Multiple Mitsubishi Electoric FA Engineering Software contain multiple vulnerabilities listed below due to the issues in processing XML.
Impact
The impact of each vulnerability differs, but if a user uses a specially crafted project file or setttings data file, the possible impacts may be as follows.
- The file in the computer where the affected product is running may be sent out - CVE-2020-5602
- The affected product may fall into a denial of service (DoS) condition - CVE-2020-5603
Solution
Update the Software
Apply the appropriate software update according to the information provided by the developer.
- CPU Module Logging Configuration Tool Ver. 1.100E and later
- CW Configurator Ver. 1.011M and later
- EM Software Development Kit (EM Configurator) Ver. 1.015R and later
- GT Designer3(GOT2000) Ver. 1.225K and later
- GX LogViewer Ver. 1.100E and later
- GX Works2 Ver. 1.590Q and later
- GX Works3 Ver. 1.060N and later
- M_CommDTM-HART Ver. 1.01B and later
- M_CommDTM-IO-Link Ver. 1.03D and later
- MELFA-Works Ver. 4.4 and later
- MELSEC-L Flexible High-Speed I/O Control Module Configuration Tool Ver.1.005F and later
- MELSOFT FieldDeviceConfigurator Ver. 1.04E and later
- MELSOFT iQ AppPortal Ver. 1.14Q and later
- MELSOFT Navigator Ver. 2.62Q and later
- MI Configurator Ver. 1.004E and later
- Motion Control Setting Ver. 1.006G and later
- MR Configurator2 Ver. 1.100E and later
- MT Works2 Ver. 1.160S and later
- RT ToolBox2 Ver. 3.73B and later
- RT ToolBox3 Ver. 1.60N and later
The developer states that if a user cannot update the affected product to the latest version, applying the following workarounds may mitigate the impacts of these vulnerabilities.
- When receiving a project file and/or data setting file which is to be used on the affected product via email, a USB memory, and a file server, be sure to receive it via a ligitimate and appropriate route andd/or source. Be sure to check there is no suspicious file included.
- When operating the FA Engineering Software, be sure to operate it with a non-administrative accout.
- Install and use an anti-virus software in the computer where the FA Engineering Software runs.
- Restrict the connection to network from all the control system device and system, and control the access from unsrusted networks or hosts.
- Set up firewall to protect the control system networks and remote devices, and disconnect them from the business network.
- Use VPN when a remote access is necessary.
Vendor Status
Vendor | Link |
Mitsubishi Electric Corporation | Muliple Vulnerabilities Due to Improper Handling of XML in Multiple FA Engineering Software Products |
References
-
ICS Advisory (ICSA-20-182-02)
Mitsubishi Electric Factory Automation Engineering Software Products
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Mitsubishi Electric Corporation reported these vulnerabilities to JPCERT/CC to notify users of the solution through JVN.
Other Information
JPCERT Alert |
|
JPCERT Reports |
|
CERT Advisory |
|
CPNI Advisory |
|
TRnotes |
|
CVE |
CVE-2020-5602 |
CVE-2020-5603 |
|
JVN iPedia |
|
Update History
- 2020/07/01
- Added ICS Advisory link to [References] section.