ICSA-23-269-03
·
Published 2024-07-09
·
View on CISA ICS-CERT ↗
Mitsubishi Electric FA Engineering Software (Update A)
CVSS 9.3
CRITICAL
Risk Summary
Successful exploitation of this vulnerability could allow a local attacker to execute code, which could result in information disclosure, tampering with and deletion of information, or a denial-of-service (DoS) condition.
CVEs (1)
Remediations
- Mitsubishi Electric recommends that customers take the following mitigation measures to minimize the risk of exploiting this vulnerability:
- Install the affected products in their default installation locations. If users install CPU Module Logging Configuration Tool, EZSocket, FR Configurator2, GT Designer3 Version1(GOT2000), GT SoftGOT1000 Version3, GT SoftGOT2000 Version1, GX LogViewer, GX Works2, GX Works3, MELSOFT FieldDeviceConfigurator, MELSOFT Navigator, MX Component, RT ToolBox3 or Data Transfer, install the following versions or later, because products with versions prior to the following are vulnerable to CVE-2020-14496 and the mitigation measures are not effective. CPU Module Logging Configuration Tool: Ver 1.106K and later, EZSocket: Ver 4.6 and later, FR Configurator2: Ver 1.23Z and later, GT Designer3 Version1(GOT2000): Ver 1.236W and later, GT SoftGOT1000 Version3: Ver 3.245F and later, GT SoftGOT2000 Version1: Ver 1.236W and later, GX LogViewer: Ver 1.106K and later, GX Works2: Ver 1.595V and later, GX Works3: Ver 1.065T and later, MELSOFT FieldDeviceConfigurator: Ver 1.04E and later, MELSOFT Navigator: Ver 2.70Y and later, MX Component: Ver 4.20W and later, RT ToolBox3: Ver 1.80J and later, Data Transfer: Ver 3.41T and later
- If it is necessary to change the installation folder from the default, select a folder that only users with Administrator privileges have permission to change.
- Install an anti-virus software on the computer using the affected product.
- Use your computer with the affected product within the LAN and block remote login from untrusted networks, hosts, and users.
- When connecting your computer with the affected product to the Internet, use a firewall, virtual private network (VPN),etc., and allow only trusted users to remote login.
- Don't open untrusted files or click untrusted links.
- For more information, see the Mitsubishi Electric security advisory.
Affected Vendors
Mitsubishi Electric
Affected Products (26)
Mitsubishi Electric
·
AL-PCS/WIN-E
vers:all/*
Mitsubishi Electric
·
CPU Module Logging Configuration Tool
vers:all/*
Mitsubishi Electric
·
EZSocket
vers:all/*
Mitsubishi Electric
·
FR Configurator2
vers:all/*
Mitsubishi Electric
·
FX Configurator-EN
vers:all/*
Mitsubishi Electric
·
FX Configurator-EN-L
vers:all/*
Mitsubishi Electric
·
FX Configurator-FP
vers:all/*
Mitsubishi Electric
·
GT Designer3 Version1(GOT1000)
vers:all/*
Mitsubishi Electric
·
GT Designer3 Version1(GOT2000)
vers:all/*
Mitsubishi Electric
·
GT SoftGOT1000 Version3
vers:all/*
Mitsubishi Electric
·
GT SoftGOT2000 Version1
vers:all/*
Mitsubishi Electric
·
GX LogViewer
vers:all/*
Mitsubishi Electric
·
GX Works2
vers:all/*
Mitsubishi Electric
·
GX Works3
vers:all/*
Mitsubishi Electric
·
MELSOFT FieldDeviceConfigurator
vers:all/*
Mitsubishi Electric
·
MELSOFT iQ AppPortal
vers:all/*
Mitsubishi Electric
·
MELSOFT MaiLab
vers:all/*
Mitsubishi Electric
·
MELSOFT Navigator
vers:all/*
Mitsubishi Electric
·
MELSOFT Update Manager
vers:all/*
Mitsubishi Electric
·
MX Component
vers:all/*
Mitsubishi Electric
·
MX Sheet
vers:all/*
Mitsubishi Electric
·
PX Developer
vers:all/*
Mitsubishi Electric
·
RT ToolBox3
vers:all/*
Mitsubishi Electric
·
RT VisualBox
vers:all/*
Mitsubishi Electric
·
Data Transfer
vers:all/*
Mitsubishi Electric
·
Data Transfer Classic
vers:all/*
Affected Sectors
Critical Manufacturing
Get alerted to advisories like this
OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.
Start free trial Learn more