ICSA-22-102-04
Vulnerability from csaf_cisa
Published
2022-04-12 00:00
Modified
2022-05-12 00:00
Summary
Mitsubishi Electric GT25-WLAN
Notes
CISA Disclaimer
This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.
Risk evaluation
There are multiple vulnerabilities due to design flaws in the frame fragmentation functionality and the frame aggregation functionality in the Wireless Communication Standards IEEE 802.11. These vulnerabilities could allow an attacker to steal communication contents or inject unauthorized packets.
Critical infrastructure sectors
Critical Manufacturing
Countries/areas deployed
Worldwide
Company headquarters location
Japan
Recommended Practices
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet; Locate control system networks and remote devices behind firewalls and isolate them from the business network; When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.
Recommended Practices
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
Exploitability
No known public exploits specifically target these vulnerabilities.
{ "document": { "acknowledgments": [ { "organization": "Mitsubishi Electric", "summary": "reporting these vulnerabilities to CISA" } ], "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Disclosure is not limited", "tlp": { "label": "WHITE", "url": "https://us-cert.cisa.gov/tlp/" } }, "lang": "en-US", "notes": [ { "category": "general", "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov", "title": "CISA Disclaimer" }, { "category": "legal_disclaimer", "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.", "title": "Legal Notice" }, { "category": "summary", "text": "There are multiple vulnerabilities due to design flaws in the frame fragmentation functionality and the frame aggregation functionality in the Wireless Communication Standards IEEE 802.11. These vulnerabilities could allow an attacker to steal communication contents or inject unauthorized packets.", "title": "Risk evaluation" }, { "category": "other", "text": "Critical Manufacturing", "title": "Critical infrastructure sectors" }, { "category": "other", "text": "Worldwide", "title": "Countries/areas deployed" }, { "category": "other", "text": "Japan", "title": "Company headquarters location" }, { "category": "general", "text": "CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet; Locate control system networks and remote devices behind firewalls and isolate them from the business network; When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.", "title": "Recommended Practices" }, { "category": "general", "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\nCISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.", "title": "Recommended Practices" }, { "category": "general", "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.", "title": "Recommended Practices" }, { "category": "other", "text": "No known public exploits specifically target these vulnerabilities.", "title": "Exploitability" } ], "publisher": { "category": "coordinator", "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870", "name": "CISA", "namespace": "https://www.cisa.gov/" }, "references": [ { "category": "self", "summary": "ICS Advisory ICSA-22-102-04 JSON", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2022/icsa-22-102-04.json" }, { "category": "self", "summary": "ICS Advisory ICSA-22-102-04 Web Version", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-102-04" }, { "category": "external", "summary": "Recommended Practices", "url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01" }, { "category": "external", "summary": "Recommended Practices", "url": "https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" }, { "category": "external", "summary": "Recommended Practices", "url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B" } ], "title": "Mitsubishi Electric GT25-WLAN", "tracking": { "current_release_date": "2022-05-12T00:00:00.000000Z", "generator": { "engine": { "name": "CISA CSAF Generator", "version": "1.0.0" } }, "id": "ICSA-22-102-04", "initial_release_date": "2022-04-12T00:00:00.000000Z", "revision_history": [ { "date": "2022-04-12T00:00:00.000000Z", "legacy_version": "Initial", "number": "1", "summary": "ICSA-22-102-04 Mitsubishi Electric GT25-WLAN" }, { "date": "2022-05-12T00:00:00.000000Z", "legacy_version": "A", "number": "2", "summary": "ICSA-22-102-04 Mitsubishi Electric GT25-WLAN (Update A)" } ], "status": "final", "version": "2" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "\u003c= 01.39.000", "product": { "name": "GT25-WLAN: Version 01.39.000 and earlier", "product_id": "CSAFPID-0001" } } ], "category": "product_name", "name": "GT25-WLAN" } ], "category": "vendor", "name": "Mitsubishi Electric" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-24586", "cwe": { "id": "CWE-212", "name": "Improper Removal of Sensitive Information Before Storage or Transfer" }, "notes": [ { "category": "summary", "text": "The affected product is vulnerable to a fragment cache attack as it does not clear fragments from memory when (re)connecting. This may allow an attacker to steal communication contents or inject unauthorized packets. CVE-2020-24586 has been assigned to this vulnerability. A CVSS v3 base score of 3.5 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24586" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N" } ], "remediations": [ { "category": "mitigation", "details": "For users who use the affected products and versions, please update to the fixed versions", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Check the versions in use by referencing GOT2000 Series User\u0027s Manual (Utility) (SH-081195ENG), 6.9 Package Data Management - \u201cProperty operation.\u201d", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "The latest version of the manual is available from Mitsubishi Electric FA Global Website.", "product_ids": [ "CSAFPID-0001" ], "url": "https://www.mitsubishielectric.com/fa" }, { "category": "mitigation", "details": "Install system applications (extended function) \u201cWireless LAN\u201d v01.45.000 or later.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Fixed system applications (extended function) \u201cWireless LAN\u201d is included in GT Designer3 Version 1 (GOT2000) v1.275M or later.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Download and install the fixed version of MELSOFT GT Designer3 (GOT2000). Please contact a Mitsubishi Electric representative about MELSOFT GT Designer3 (GOT2000).", "product_ids": [ "CSAFPID-0001" ], "url": "https://www.mitsubishielectric.com/fa/support/index.html" }, { "category": "mitigation", "details": "Start the MELSOFT GT Designer3 (GOT2000) and open the project data used in affected products.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Select [Write to GOT] from [Communication] menu to write the required package data to the GOT. Please refer to \u201c4. COMMUNICATING WITH GOT\u201d in the GT Designer3 (GOT2000) Screen Design Manual (SH-081220ENG).", "product_ids": [ "CSAFPID-0001" ], "url": "https://www.mitsubishielectric.com/fa/products/hmi/got/smerit/gt_works3/manual/index.html" }, { "category": "mitigation", "details": "After writing the required package data to the GOT, refer to the \u201cHow to check the versions in use\u201d and check the fixed versions.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "When using the wireless LAN communication unit as an access point, check if the wireless LAN communication unit settings are as follows.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "For the passphrase used for wireless LAN, avoid settings that can be guessed from the consecutive numbers and MAC address, and set an unpredictable passphrase combining letters and numbers.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Use WPA or WPA2 as the security authentication method for wireless LAN.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Use the IP filter function*1 to restrict the accessible IP addresses. *1- Refer to GT Designer3 (GOT2000) Screen Design Manual (SH-081220ENG) \u201c5.4.3 Setting the IP filter\u201d", "product_ids": [ "CSAFPID-0001" ], "url": "https://www.mitsubishielectric.com/fa/products/hmi/got/smerit/gt_works3/manual/index.html" }, { "category": "mitigation", "details": "When using the wireless LAN communication unit as a station, check if the router settings are as follows: For the passphrase used for wireless LAN, avoid settings that can be guessed from the consecutive numbers and MAC address, and set an unpredictable passphrase combining letters and numbers. Use WPA or WPA2 as the security authentication method for wireless LAN.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "If you change the router settings, hide its presence on the Internet to make it difficult for unauthorized access. (e.g., set to not respond to PING requests).", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Set password for the router\u0027s Management portal, which is difficult to be identified.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Check the following when using a computer or tablet, etc., on the same network.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Update Antivirus software to the latest version.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Do not open or access suspicious attachment file or linked URL.", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001" ] } ] }, { "cve": "CVE-2020-24587", "cwe": { "id": "CWE-326", "name": "Inadequate Encryption Strength" }, "notes": [ { "category": "summary", "text": "The affected product is vulnerable to a mixed key attack as it reassembles fragments encrypted under different keys. This may allow an attacker to steal communication contents. CVE-2020-24587 has been assigned to this vulnerability. A CVSS v3 base score of 2.6 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24587" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N" } ], "remediations": [ { "category": "mitigation", "details": "For users who use the affected products and versions, please update to the fixed versions", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Check the versions in use by referencing GOT2000 Series User\u0027s Manual (Utility) (SH-081195ENG), 6.9 Package Data Management - \u201cProperty operation.\u201d", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "The latest version of the manual is available from Mitsubishi Electric FA Global Website.", "product_ids": [ "CSAFPID-0001" ], "url": "https://www.mitsubishielectric.com/fa" }, { "category": "mitigation", "details": "Install system applications (extended function) \u201cWireless LAN\u201d v01.45.000 or later.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Fixed system applications (extended function) \u201cWireless LAN\u201d is included in GT Designer3 Version 1 (GOT2000) v1.275M or later.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Download and install the fixed version of MELSOFT GT Designer3 (GOT2000). Please contact a Mitsubishi Electric representative about MELSOFT GT Designer3 (GOT2000).", "product_ids": [ "CSAFPID-0001" ], "url": "https://www.mitsubishielectric.com/fa/support/index.html" }, { "category": "mitigation", "details": "Start the MELSOFT GT Designer3 (GOT2000) and open the project data used in affected products.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Select [Write to GOT] from [Communication] menu to write the required package data to the GOT. Please refer to \u201c4. COMMUNICATING WITH GOT\u201d in the GT Designer3 (GOT2000) Screen Design Manual (SH-081220ENG).", "product_ids": [ "CSAFPID-0001" ], "url": "https://www.mitsubishielectric.com/fa/products/hmi/got/smerit/gt_works3/manual/index.html" }, { "category": "mitigation", "details": "After writing the required package data to the GOT, refer to the \u201cHow to check the versions in use\u201d and check the fixed versions.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "When using the wireless LAN communication unit as an access point, check if the wireless LAN communication unit settings are as follows.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "For the passphrase used for wireless LAN, avoid settings that can be guessed from the consecutive numbers and MAC address, and set an unpredictable passphrase combining letters and numbers.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Use WPA or WPA2 as the security authentication method for wireless LAN.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Use the IP filter function*1 to restrict the accessible IP addresses. *1- Refer to GT Designer3 (GOT2000) Screen Design Manual (SH-081220ENG) \u201c5.4.3 Setting the IP filter\u201d", "product_ids": [ "CSAFPID-0001" ], "url": "https://www.mitsubishielectric.com/fa/products/hmi/got/smerit/gt_works3/manual/index.html" }, { "category": "mitigation", "details": "When using the wireless LAN communication unit as a station, check if the router settings are as follows: For the passphrase used for wireless LAN, avoid settings that can be guessed from the consecutive numbers and MAC address, and set an unpredictable passphrase combining letters and numbers. Use WPA or WPA2 as the security authentication method for wireless LAN.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "If you change the router settings, hide its presence on the Internet to make it difficult for unauthorized access. (e.g., set to not respond to PING requests).", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Set password for the router\u0027s Management portal, which is difficult to be identified.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Check the following when using a computer or tablet, etc., on the same network.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Update Antivirus software to the latest version.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Do not open or access suspicious attachment file or linked URL.", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 2.6, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001" ] } ] }, { "cve": "CVE-2020-24588", "cwe": { "id": "CWE-306", "name": "Missing Authentication for Critical Function" }, "notes": [ { "category": "summary", "text": "The affected product is vulnerable to an aggregation attack as it accepts non-SPP A-MSDU frames. This may allow an attacker to inject unauthorized packets. CVE-2020-24588 has been assigned to this vulnerability. A CVSS v3 base score of 3.5 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24588" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" } ], "remediations": [ { "category": "mitigation", "details": "For users who use the affected products and versions, please update to the fixed versions", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Check the versions in use by referencing GOT2000 Series User\u0027s Manual (Utility) (SH-081195ENG), 6.9 Package Data Management - \u201cProperty operation.\u201d", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "The latest version of the manual is available from Mitsubishi Electric FA Global Website.", "product_ids": [ "CSAFPID-0001" ], "url": "https://www.mitsubishielectric.com/fa" }, { "category": "mitigation", "details": "Install system applications (extended function) \u201cWireless LAN\u201d v01.45.000 or later.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Fixed system applications (extended function) \u201cWireless LAN\u201d is included in GT Designer3 Version 1 (GOT2000) v1.275M or later.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Download and install the fixed version of MELSOFT GT Designer3 (GOT2000). Please contact a Mitsubishi Electric representative about MELSOFT GT Designer3 (GOT2000).", "product_ids": [ "CSAFPID-0001" ], "url": "https://www.mitsubishielectric.com/fa/support/index.html" }, { "category": "mitigation", "details": "Start the MELSOFT GT Designer3 (GOT2000) and open the project data used in affected products.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Select [Write to GOT] from [Communication] menu to write the required package data to the GOT. Please refer to \u201c4. COMMUNICATING WITH GOT\u201d in the GT Designer3 (GOT2000) Screen Design Manual (SH-081220ENG).", "product_ids": [ "CSAFPID-0001" ], "url": "https://www.mitsubishielectric.com/fa/products/hmi/got/smerit/gt_works3/manual/index.html" }, { "category": "mitigation", "details": "After writing the required package data to the GOT, refer to the \u201cHow to check the versions in use\u201d and check the fixed versions.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "When using the wireless LAN communication unit as an access point, check if the wireless LAN communication unit settings are as follows.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "For the passphrase used for wireless LAN, avoid settings that can be guessed from the consecutive numbers and MAC address, and set an unpredictable passphrase combining letters and numbers.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Use WPA or WPA2 as the security authentication method for wireless LAN.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Use the IP filter function*1 to restrict the accessible IP addresses. *1- Refer to GT Designer3 (GOT2000) Screen Design Manual (SH-081220ENG) \u201c5.4.3 Setting the IP filter\u201d", "product_ids": [ "CSAFPID-0001" ], "url": "https://www.mitsubishielectric.com/fa/products/hmi/got/smerit/gt_works3/manual/index.html" }, { "category": "mitigation", "details": "When using the wireless LAN communication unit as a station, check if the router settings are as follows: For the passphrase used for wireless LAN, avoid settings that can be guessed from the consecutive numbers and MAC address, and set an unpredictable passphrase combining letters and numbers. Use WPA or WPA2 as the security authentication method for wireless LAN.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "If you change the router settings, hide its presence on the Internet to make it difficult for unauthorized access. (e.g., set to not respond to PING requests).", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Set password for the router\u0027s Management portal, which is difficult to be identified.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Check the following when using a computer or tablet, etc., on the same network.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Update Antivirus software to the latest version.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Do not open or access suspicious attachment file or linked URL.", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001" ] } ] }, { "cve": "CVE-2020-26140", "cwe": { "id": "CWE-74", "name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)" }, "notes": [ { "category": "summary", "text": "The affected product can accept plaintext data frames in a protected network. This may allow an attacker to inject unauthorized packets. CVE-2020-26140 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26140" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "remediations": [ { "category": "mitigation", "details": "For users who use the affected products and versions, please update to the fixed versions", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Check the versions in use by referencing GOT2000 Series User\u0027s Manual (Utility) (SH-081195ENG), 6.9 Package Data Management - \u201cProperty operation.\u201d", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "The latest version of the manual is available from Mitsubishi Electric FA Global Website.", "product_ids": [ "CSAFPID-0001" ], "url": "https://www.mitsubishielectric.com/fa" }, { "category": "mitigation", "details": "Install system applications (extended function) \u201cWireless LAN\u201d v01.45.000 or later.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Fixed system applications (extended function) \u201cWireless LAN\u201d is included in GT Designer3 Version 1 (GOT2000) v1.275M or later.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Download and install the fixed version of MELSOFT GT Designer3 (GOT2000). Please contact a Mitsubishi Electric representative about MELSOFT GT Designer3 (GOT2000).", "product_ids": [ "CSAFPID-0001" ], "url": "https://www.mitsubishielectric.com/fa/support/index.html" }, { "category": "mitigation", "details": "Start the MELSOFT GT Designer3 (GOT2000) and open the project data used in affected products.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Select [Write to GOT] from [Communication] menu to write the required package data to the GOT. Please refer to \u201c4. COMMUNICATING WITH GOT\u201d in the GT Designer3 (GOT2000) Screen Design Manual (SH-081220ENG).", "product_ids": [ "CSAFPID-0001" ], "url": "https://www.mitsubishielectric.com/fa/products/hmi/got/smerit/gt_works3/manual/index.html" }, { "category": "mitigation", "details": "After writing the required package data to the GOT, refer to the \u201cHow to check the versions in use\u201d and check the fixed versions.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "When using the wireless LAN communication unit as an access point, check if the wireless LAN communication unit settings are as follows.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "For the passphrase used for wireless LAN, avoid settings that can be guessed from the consecutive numbers and MAC address, and set an unpredictable passphrase combining letters and numbers.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Use WPA or WPA2 as the security authentication method for wireless LAN.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Use the IP filter function*1 to restrict the accessible IP addresses. *1- Refer to GT Designer3 (GOT2000) Screen Design Manual (SH-081220ENG) \u201c5.4.3 Setting the IP filter\u201d", "product_ids": [ "CSAFPID-0001" ], "url": "https://www.mitsubishielectric.com/fa/products/hmi/got/smerit/gt_works3/manual/index.html" }, { "category": "mitigation", "details": "When using the wireless LAN communication unit as a station, check if the router settings are as follows: For the passphrase used for wireless LAN, avoid settings that can be guessed from the consecutive numbers and MAC address, and set an unpredictable passphrase combining letters and numbers. Use WPA or WPA2 as the security authentication method for wireless LAN.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "If you change the router settings, hide its presence on the Internet to make it difficult for unauthorized access. (e.g., set to not respond to PING requests).", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Set password for the router\u0027s Management portal, which is difficult to be identified.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Check the following when using a computer or tablet, etc., on the same network.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Update Antivirus software to the latest version.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Do not open or access suspicious attachment file or linked URL.", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001" ] } ] }, { "cve": "CVE-2020-26143", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "The affected product is vulnerable to accepting fragmented plaintext data frames in a protected network. This may allow an attacker to inject unauthorized packets. CVE-2020-26143 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26143" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "remediations": [ { "category": "mitigation", "details": "For users who use the affected products and versions, please update to the fixed versions", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Check the versions in use by referencing GOT2000 Series User\u0027s Manual (Utility) (SH-081195ENG), 6.9 Package Data Management - \u201cProperty operation.\u201d", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "The latest version of the manual is available from Mitsubishi Electric FA Global Website.", "product_ids": [ "CSAFPID-0001" ], "url": "https://www.mitsubishielectric.com/fa" }, { "category": "mitigation", "details": "Install system applications (extended function) \u201cWireless LAN\u201d v01.45.000 or later.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Fixed system applications (extended function) \u201cWireless LAN\u201d is included in GT Designer3 Version 1 (GOT2000) v1.275M or later.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Download and install the fixed version of MELSOFT GT Designer3 (GOT2000). Please contact a Mitsubishi Electric representative about MELSOFT GT Designer3 (GOT2000).", "product_ids": [ "CSAFPID-0001" ], "url": "https://www.mitsubishielectric.com/fa/support/index.html" }, { "category": "mitigation", "details": "Start the MELSOFT GT Designer3 (GOT2000) and open the project data used in affected products.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Select [Write to GOT] from [Communication] menu to write the required package data to the GOT. Please refer to \u201c4. COMMUNICATING WITH GOT\u201d in the GT Designer3 (GOT2000) Screen Design Manual (SH-081220ENG).", "product_ids": [ "CSAFPID-0001" ], "url": "https://www.mitsubishielectric.com/fa/products/hmi/got/smerit/gt_works3/manual/index.html" }, { "category": "mitigation", "details": "After writing the required package data to the GOT, refer to the \u201cHow to check the versions in use\u201d and check the fixed versions.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "When using the wireless LAN communication unit as an access point, check if the wireless LAN communication unit settings are as follows.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "For the passphrase used for wireless LAN, avoid settings that can be guessed from the consecutive numbers and MAC address, and set an unpredictable passphrase combining letters and numbers.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Use WPA or WPA2 as the security authentication method for wireless LAN.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Use the IP filter function*1 to restrict the accessible IP addresses. *1- Refer to GT Designer3 (GOT2000) Screen Design Manual (SH-081220ENG) \u201c5.4.3 Setting the IP filter\u201d", "product_ids": [ "CSAFPID-0001" ], "url": "https://www.mitsubishielectric.com/fa/products/hmi/got/smerit/gt_works3/manual/index.html" }, { "category": "mitigation", "details": "When using the wireless LAN communication unit as a station, check if the router settings are as follows: For the passphrase used for wireless LAN, avoid settings that can be guessed from the consecutive numbers and MAC address, and set an unpredictable passphrase combining letters and numbers. Use WPA or WPA2 as the security authentication method for wireless LAN.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "If you change the router settings, hide its presence on the Internet to make it difficult for unauthorized access. (e.g., set to not respond to PING requests).", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Set password for the router\u0027s Management portal, which is difficult to be identified.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Check the following when using a computer or tablet, etc., on the same network.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Update Antivirus software to the latest version.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Do not open or access suspicious attachment file or linked URL.", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001" ] } ] }, { "cve": "CVE-2020-26144", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "The affected product can accept plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL in an encrypted network. This may allow an attacker to inject unauthorized packets. CVE-2020-26144 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26144" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "remediations": [ { "category": "mitigation", "details": "For users who use the affected products and versions, please update to the fixed versions", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Check the versions in use by referencing GOT2000 Series User\u0027s Manual (Utility) (SH-081195ENG), 6.9 Package Data Management - \u201cProperty operation.\u201d", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "The latest version of the manual is available from Mitsubishi Electric FA Global Website.", "product_ids": [ "CSAFPID-0001" ], "url": "https://www.mitsubishielectric.com/fa" }, { "category": "mitigation", "details": "Install system applications (extended function) \u201cWireless LAN\u201d v01.45.000 or later.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Fixed system applications (extended function) \u201cWireless LAN\u201d is included in GT Designer3 Version 1 (GOT2000) v1.275M or later.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Download and install the fixed version of MELSOFT GT Designer3 (GOT2000). Please contact a Mitsubishi Electric representative about MELSOFT GT Designer3 (GOT2000).", "product_ids": [ "CSAFPID-0001" ], "url": "https://www.mitsubishielectric.com/fa/support/index.html" }, { "category": "mitigation", "details": "Start the MELSOFT GT Designer3 (GOT2000) and open the project data used in affected products.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Select [Write to GOT] from [Communication] menu to write the required package data to the GOT. Please refer to \u201c4. COMMUNICATING WITH GOT\u201d in the GT Designer3 (GOT2000) Screen Design Manual (SH-081220ENG).", "product_ids": [ "CSAFPID-0001" ], "url": "https://www.mitsubishielectric.com/fa/products/hmi/got/smerit/gt_works3/manual/index.html" }, { "category": "mitigation", "details": "After writing the required package data to the GOT, refer to the \u201cHow to check the versions in use\u201d and check the fixed versions.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "When using the wireless LAN communication unit as an access point, check if the wireless LAN communication unit settings are as follows.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "For the passphrase used for wireless LAN, avoid settings that can be guessed from the consecutive numbers and MAC address, and set an unpredictable passphrase combining letters and numbers.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Use WPA or WPA2 as the security authentication method for wireless LAN.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Use the IP filter function*1 to restrict the accessible IP addresses. *1- Refer to GT Designer3 (GOT2000) Screen Design Manual (SH-081220ENG) \u201c5.4.3 Setting the IP filter\u201d", "product_ids": [ "CSAFPID-0001" ], "url": "https://www.mitsubishielectric.com/fa/products/hmi/got/smerit/gt_works3/manual/index.html" }, { "category": "mitigation", "details": "When using the wireless LAN communication unit as a station, check if the router settings are as follows: For the passphrase used for wireless LAN, avoid settings that can be guessed from the consecutive numbers and MAC address, and set an unpredictable passphrase combining letters and numbers. Use WPA or WPA2 as the security authentication method for wireless LAN.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "If you change the router settings, hide its presence on the Internet to make it difficult for unauthorized access. (e.g., set to not respond to PING requests).", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Set password for the router\u0027s Management portal, which is difficult to be identified.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Check the following when using a computer or tablet, etc., on the same network.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Update Antivirus software to the latest version.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Do not open or access suspicious attachment file or linked URL.", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001" ] } ] }, { "cve": "CVE-2020-26146", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "summary", "text": "The affected product can reassemble encrypted fragments with non-consecutive packet numbers. This may allow an attacker to steal communication contents. CVE-2020-26146 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).", "title": "Vulnerability Summary" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "references": [ { "category": "external", "summary": "web.nvd.nist.gov", "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26146" }, { "category": "external", "summary": "www.first.org", "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "remediations": [ { "category": "mitigation", "details": "For users who use the affected products and versions, please update to the fixed versions", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Check the versions in use by referencing GOT2000 Series User\u0027s Manual (Utility) (SH-081195ENG), 6.9 Package Data Management - \u201cProperty operation.\u201d", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "The latest version of the manual is available from Mitsubishi Electric FA Global Website.", "product_ids": [ "CSAFPID-0001" ], "url": "https://www.mitsubishielectric.com/fa" }, { "category": "mitigation", "details": "Install system applications (extended function) \u201cWireless LAN\u201d v01.45.000 or later.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Fixed system applications (extended function) \u201cWireless LAN\u201d is included in GT Designer3 Version 1 (GOT2000) v1.275M or later.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "This does not include countermeasures for CVE-2020-26146", "product_ids": [ "CSAFPID-0001" ], "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-26146" }, { "category": "mitigation", "details": "Download and install the fixed version of MELSOFT GT Designer3 (GOT2000). Please contact a Mitsubishi Electric representative about MELSOFT GT Designer3 (GOT2000).", "product_ids": [ "CSAFPID-0001" ], "url": "https://www.mitsubishielectric.com/fa/support/index.html" }, { "category": "mitigation", "details": "Start the MELSOFT GT Designer3 (GOT2000) and open the project data used in affected products.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Select [Write to GOT] from [Communication] menu to write the required package data to the GOT. Please refer to \u201c4. COMMUNICATING WITH GOT\u201d in the GT Designer3 (GOT2000) Screen Design Manual (SH-081220ENG).", "product_ids": [ "CSAFPID-0001" ], "url": "https://www.mitsubishielectric.com/fa/products/hmi/got/smerit/gt_works3/manual/index.html" }, { "category": "mitigation", "details": "After writing the required package data to the GOT, refer to the \u201cHow to check the versions in use\u201d and check the fixed versions.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "When using the wireless LAN communication unit as an access point, check if the wireless LAN communication unit settings are as follows.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "For the passphrase used for wireless LAN, avoid settings that can be guessed from the consecutive numbers and MAC address, and set an unpredictable passphrase combining letters and numbers.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Use WPA or WPA2 as the security authentication method for wireless LAN.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Use the IP filter function*1 to restrict the accessible IP addresses. *1- Refer to GT Designer3 (GOT2000) Screen Design Manual (SH-081220ENG) \u201c5.4.3 Setting the IP filter\u201d", "product_ids": [ "CSAFPID-0001" ], "url": "https://www.mitsubishielectric.com/fa/products/hmi/got/smerit/gt_works3/manual/index.html" }, { "category": "mitigation", "details": "When using the wireless LAN communication unit as a station, check if the router settings are as follows: For the passphrase used for wireless LAN, avoid settings that can be guessed from the consecutive numbers and MAC address, and set an unpredictable passphrase combining letters and numbers. Use WPA or WPA2 as the security authentication method for wireless LAN.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "If you change the router settings, hide its presence on the Internet to make it difficult for unauthorized access. (e.g., set to not respond to PING requests).", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Set password for the router\u0027s Management portal, which is difficult to be identified.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Check the following when using a computer or tablet, etc., on the same network.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Update Antivirus software to the latest version.", "product_ids": [ "CSAFPID-0001" ] }, { "category": "mitigation", "details": "Do not open or access suspicious attachment file or linked URL.", "product_ids": [ "CSAFPID-0001" ] } ], "scores": [ { "cvss_v3": { "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0" }, "products": [ "CSAFPID-0001" ] } ] } ] }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.