View CSAF
1. EXECUTIVE SUMMARY
CVSS v3 6.0
ATTENTION: Low attack complexity
Vendor: Mitsubishi Electric
Equipment: Multiple FA Engineering Software Products
Vulnerabilities: Improper Privilege Management, Uncontrolled Resource Consumption, Out-of-bounds Write, Improper Privilege Management
2. RISK EVALUATION
Successful exploitation of these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition and/or to gain Windows system privileges and execute arbitrary commands.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Mitsubishi Electric reports the following versions of FA Engineering Software Products are affected:
CPU Module Logging Configuration Tool: All versions
CSGL (GX Works2 connection configuration): All versions
CW Configurator: All versions
Data Transfer: All versions
Data Transfer Classic: All versions
EZSocket (communication middleware product for Mitsubishi Electric partner companies): All versions
FR Configurator SW3: All versions
FR Configurator2: All versions
GENESIS64: All versions
GT Designer3 Version1 (GOT1000): All versions
GT Designer3 Version1 (GOT2000): All versions
GT SoftGOT1000 Version3: All versions
GT SoftGOT2000 Version1: All versions
GX Developer: All versions
GX LogViewer: All versions
GX Works2: All versions
GX Works3: All versions
iQ Works (MELSOFT Navigator): All versions
MI Configurator: All versions
Mitsubishi Electric Numerical Control Device Communication Software (FCSB1224): All versions
MR Configurator (SETUP221): All versions
MR Configurator2: All versions
MRZJW3-MC2-UTL: All versions
MX Component: All versions
MX OPC Server DA/UA (Software packaged with MC Works64): All versions
PX Developer/Monitor Tool: All versions
RT ToolBox3: All versions
RT VisualBox: All versions
Setting/monitoring tools for the C Controller module (SW4PVC-CCPU): All versions
SW0DNC-MNETH-B: All versions
SW1DNC-CCBD2-B: All versions
SW1DNC-CCIEF-J: All versions
SW1DNC-CCIEF-B: All versions
SW1DNC-MNETG-B: All versions
SW1DNC-QSCCF-B: All versions
SW1DND-EMSDK-B All versions
3.2 Vulnerability Overview
If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to gain Windows system privileges and execute arbitrary commands.
CVE-2023-51776 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2023-51776. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition.
CVE-2023-51777 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2023-51777. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition.
CVE-2023-51778 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2023-51778. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition.
CVE-2024-22102 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2024-22102. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition.
CVE-2024-22103 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2024-22103. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition.
CVE-2024-22104 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2024-22104. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition.
CVE-2024-22105 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2024-22105. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition and/or to gain Windows system privileges and execute arbitrary commands.
CVE-2024-22106 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.0 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-22106. A base score of 4.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).
If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to gain Windows system privileges and execute arbitrary commands.
CVE-2024-25086 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2024-25086. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition.
CVE-2024-25087 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2024-25087. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to gain Windows system privileges and execute arbitrary commands.
CVE-2024-25088 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2024-25088. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to gain Windows system privileges and execute arbitrary commands.
CVE-2024-26314 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2024-26314. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan
3.4 RESEARCHER
Jongseong Kim, Byunghyun Kang, Sangjun Park, Yunjin Park, Kwon Yul, and Seungchan Kim reported these vulnerabilities to Mitsubishi Electric.
4. MITIGATIONS
Mitsubishi Electric recommends that users take the following mitigation measures to minimize the risk of exploiting these vulnerabilities:
Restrict physical access to the computer using the product.
Install an antivirus software in your computer using the affected product.
Don’t open untrusted files or click untrusted links.
For additional information see Mitsubishi Electric advisory 2024-001.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely. These vulnerabilities have a high attack complexity.
5. UPDATE HISTORY
May 14, 2024: Initial Publication