CVE-2022-25157
https://notcve.org/view.php?id=CVE-2022-25157
Use of Password Hash Instead of Password for Authentication vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU all versions, Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PSFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R16/32/64MTCPU all versions, Mitsubishi Electric MELSEC iQ-R series RJ71C24(-R2/R4) all versions, Mitsubishi Electric MELSEC iQ-R series RJ71EN71 all versions, Mitsubishi Electric MELSEC iQ-R series RJ71GF11-T2 all versions, Mitsubishi Electric MELSEC iQ-R series RJ71GP21(S)-SX all versions, Mitsubishi Electric MELSEC iQ-R series RJ72GF15-T2 all versions, Mitsubishi Electric MELSEC Q series Q03UDECPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/10/13/20/26/50/100UDEHCPU all versions, Mitsubishi Electric MELSEC Q series Q03/04/06/13/26UDVCPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/13/26UDPVCPU all versions, Mitsubishi Electric MELSEC Q series QJ71C24N(-R2/R4) all versions, Mitsubishi Electric MELSEC Q series QJ71E71-100 all versions, Mitsubishi Electric MELSEC L series L02/06/26CPU(-P) all versions, Mitsubishi Electric MELSEC L series L26CPU-(P)BT all versions, Mitsubishi Electric MELSEC L series LJ71C24(-R2) all versions, Mitsubishi Electric MELSEC L series LJ71E71-100 all versions and Mitsubishi Electric MELSEC L series LJ72GF15-T2 all versions allows a remote unauthenticated attacker to disclose or tamper with the information in the product by using an eavesdropped password hash. Vulnerabilidad en el uso del hash de la contraseña en lugar de la contraseña para la autenticación en Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU todas las versiones, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU todas las versiones, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU todas las versiones, Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(ES)CPU todas las versiones, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU todas las versiones, Mitsubishi Electric MELSEC iQ-R serie R08/16/32/120PCPU todas las versiones, Mitsubishi Electric MELSEC iQ-R serie R08/16/32/120PSFCPU todas las versiones, Mitsubishi Electric MELSEC iQ-R serie R16/32/64MTCPU todas las versiones, Mitsubishi Electric MELSEC iQ-R serie RJ71C24(-R2/R4) todas las versiones, Mitsubishi Electric MELSEC iQ-R serie RJ71EN71 todas las versiones, Mitsubishi Electric MELSEC iQ-R serie RJ71GF11-T2 todas las versiones, Mitsubishi Electric MELSEC iQ-R serie RJ71GP21(S)-SX todas las versiones, Mitsubishi Electric MELSEC serie iQ-R RJ72GF15-T2 todas las versiones, Mitsubishi Electric MELSEC serie Q Q03UDECPU todas las versiones, Mitsubishi Electric MELSEC serie Q04/06/10/13/20/26/50/100UDEHCPU todas las versiones, Mitsubishi Electric MELSEC Q serie Q03/04/06/13/26UDVCPU todas las versiones, Mitsubishi Electric MELSEC Q serie Q04/06/13/26UDPVCPU todas las versiones, Mitsubishi Electric MELSEC Q serie QJ71C24N(-R2/R4) todas las versiones, Mitsubishi Electric MELSEC Q serie QJ71E71-100 todas las versiones, Mitsubishi Electric MELSEC serie L L02/06/26CPU(-P) todas las versiones, Mitsubishi Electric MELSEC serie L L26CPU-(P)BT todas las versiones, Mitsubishi Electric MELSEC serie L LJ71C24(-R2) todas las versiones, Mitsubishi Electric MELSEC serie L LJ71E71-100 todas las versiones y Mitsubishi Electric MELSEC serie L LJ72GF15-T2 todas las versiones permiten a un atacante remoto no autenticado revelar o manipular la información del producto mediante el uso de un hash de contraseña interceptado • https://jvn.jp/vu/JVNVU96577897/index.html https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-04 https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-031_en.pdf • CWE-287: Improper Authentication •
CVE-2022-25155
https://notcve.org/view.php?id=CVE-2022-25155
Use of Password Hash Instead of Password for Authentication vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU all versions, Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PSFCPU all versions, Mitsubishi Electric MELSEC iQ-R series RJ71GN11-T2 all versions, Mitsubishi Electric MELSEC iQ-R series RJ71GN11-EIP all versions, Mitsubishi Electric MELSEC iQ-R series RJ71C24(-R2/R4) all versions, Mitsubishi Electric MELSEC iQ-R series RJ71EN71 all versions, Mitsubishi Electric MELSEC iQ-R series RJ72GF15-T2 all versions, Mitsubishi Electric MELSEC Q series Q03UDECPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/10/13/20/26/50/100UDEHCPU all versions, Mitsubishi Electric MELSEC Q series Q03/04/06/13/26UDVCPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/13/26UDPVCPU all versions, Mitsubishi Electric MELSEC Q series QJ71C24N(-R2/R4) all versions, Mitsubishi Electric MELSEC Q series QJ71E71-100 all versions, Mitsubishi Electric MELSEC Q series QJ72BR15 all versions, Mitsubishi Electric MELSEC Q series QJ72LP25(-25/G/GE) all versions, Mitsubishi Electric MELSEC L series L02/06/26CPU(-P) all versions, Mitsubishi Electric MELSEC L series L26CPU-(P)BT all versions, Mitsubishi Electric MELSEC L series LJ71C24(-R2) all versions, Mitsubishi Electric MELSEC L series LJ71E71-100 all versions and Mitsubishi Electric MELSEC L series LJ72GF15-T2 all versions allows a remote unauthenticated attacker to login to the product by replaying an eavesdropped password hash. Vulnerabilidad en el uso del hash de la contraseña en lugar de la contraseña para la autenticación en Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU todas las versiones, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU todas las versiones, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU todas las versiones, Mitsubishi Electric MELSEC iQ-R serie R04/08/16/32/120(ES)CPU todas las versiones, Mitsubishi Electric MELSEC iQ-R serie R08/16/32/120SFCPU todas las versiones, Mitsubishi Electric MELSEC iQ-R serie R08/16/32/120PCPU todas las versiones, Mitsubishi Electric MELSEC iQ-R serie R08/16/32/120PSFCPU todas las versiones, Mitsubishi Electric MELSEC iQ-R serie RJ71GN11-T2 todas las versiones, Mitsubishi Electric MELSEC iQ-R serie RJ71GN11-EIP todas las versiones, Mitsubishi Electric MELSEC iQ-R serie RJ71C24(-R2/R4) todas las versiones, Mitsubishi Electric MELSEC iQ-R serie RJ71EN71 todas las versiones, Mitsubishi Electric MELSEC iQ-R serie RJ72GF15-T2 todas las versiones, Mitsubishi Electric MELSEC Q serie Q03UDECPU todas las versiones, Mitsubishi Electric MELSEC Q serie Q04/06/10/13/20/26/50/100UDEHCPU todas las versiones, Mitsubishi Electric MELSEC Q serie Q03/04/06/13/26UDVCPU todas las versiones, Mitsubishi Electric MELSEC Q serie Q04/06/13/26UDPVCPU todas las versiones, Mitsubishi Electric MELSEC Q serie QJ71C24N(-R2/R4) todas las versiones, Mitsubishi Electric MELSEC Q serie QJ71E71-100 todas las versiones, Mitsubishi Electric MELSEC Q serie QJ72BR15 todas las versiones, Mitsubishi Electric MELSEC Q serie QJ72LP25(-25/G/GE) todas las versiones, Mitsubishi Electric MELSEC serie L L02/06/26CPU(-P) todas las versiones, Mitsubishi Electric MELSEC serie L L26CPU-(P)BT todas las versiones, Mitsubishi Electric MELSEC serie L LJ71C24(-R2) todas las versiones, Mitsubishi Electric MELSEC serie L LJ71E71-100 todas las versiones y Mitsubishi Electric MELSEC serie L LJ72GF15-T2 todas las versiones permiten que un atacante remoto no autenticado inicie sesión en el producto reproduciendo un hash de contraseña interceptado • https://jvn.jp/vu/JVNVU96577897/index.html https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-04 https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-031_en.pdf • CWE-287: Improper Authentication •
CVE-2022-25156
https://notcve.org/view.php?id=CVE-2022-25156
Use of Weak Hash vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU all versions, Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PSFCPU all versions, Mitsubishi Electric MELSEC iQ-R series RJ71C24(-R2/R4) all versions, Mitsubishi Electric MELSEC iQ-R series RJ71EN71 all versions, Mitsubishi Electric MELSEC iQ-R series RJ72GF15-T2 all versions, Mitsubishi Electric MELSEC Q series Q03UDECPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/10/13/20/26/50/100UDEHCPU all versions, Mitsubishi Electric MELSEC Q series Q03/04/06/13/26UDVCPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/13/26UDPVCPU all versions, Mitsubishi Electric MELSEC Q series QJ71C24N(-R2/R4) all versions, Mitsubishi Electric MELSEC Q series QJ71E71-100 all versions, Mitsubishi Electric MELSEC Q series QJ72BR15 all versions, Mitsubishi Electric MELSEC Q series QJ72LP25(-25/G/GE) all versions, Mitsubishi Electric MELSEC L series L02/06/26CPU(-P) all versions, Mitsubishi Electric MELSEC L series L26CPU-(P)BT all versions, Mitsubishi Electric MELSEC L series LJ71C24(-R2) all versions, Mitsubishi Electric MELSEC L series LJ71E71-100 all versions and Mitsubishi Electric MELSEC L series LJ72GF15-T2 all versions allows a remote unauthenticated attacker to login to the product by using a password reversed from a previously eavesdropped password hash. Uso de la vulnerabilidad Weak Hash en Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU todas las versiones, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU todas las versiones, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU todas las versiones, Mitsubishi Electric MELSEC iQ-R serie R04/08/16/32/120(ES)CPU todas las versiones, Mitsubishi Electric MELSEC iQ-R serie R08/16/32/120SFCPU todas las versiones, Mitsubishi Electric MELSEC iQ-R serie R08/16/32/120PCPU todas las versiones, Mitsubishi Electric MELSEC iQ-R serie R08/16/32/120PSFCPU todas las versiones, Mitsubishi Electric MELSEC iQ-R serie RJ71C24(-R2/R4) todas las versiones, Mitsubishi Electric MELSEC iQ-R serie RJ71EN71 todas las versiones, Mitsubishi Electric MELSEC serie iQ-R RJ72GF15-T2 todas las versiones, Mitsubishi Electric MELSEC serie Q Q03UDECPU todas las versiones, Mitsubishi Electric MELSEC serie Q04/06/10/13/20/26/50/100UDEHCPU todas las versiones, Mitsubishi Electric MELSEC Q serie Q03/04/06/13/26UDVCPU todas las versiones, Mitsubishi Electric MELSEC Q serie Q04/06/13/26UDPVCPU todas las versiones, Mitsubishi Electric MELSEC Q serie QJ71C24N(-R2/R4) todas las versiones, Mitsubishi Electric MELSEC Q series QJ71E71-100 todas las versiones, Mitsubishi Electric MELSEC Q series QJ72BR15 todas las versiones, Mitsubishi Electric MELSEC Q series QJ72LP25(-25/G/GE) todas las versiones, Mitsubishi Electric MELSEC serie L L02/06/26CPU(-P) todas las versiones, Mitsubishi Electric MELSEC serie L L26CPU-(P)BT todas las versiones, Mitsubishi Electric MELSEC serie L LJ71C24(-R2) todas las versiones, Mitsubishi Electric MELSEC serie L LJ71E71-100 todas las versiones y Mitsubishi Electric MELSEC serie L LJ72GF15-T2 todas las versiones permite a un atacante remoto no autenticado iniciar sesión en el producto utilizando una contraseña invertida a partir de un hash de contraseña previamente interceptado • https://jvn.jp/vu/JVNVU96577897/index.html https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-04 https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-031_en.pdf • CWE-326: Inadequate Encryption Strength •
CVE-2020-16226 – Mitsubishi Electric Multiple Products
https://notcve.org/view.php?id=CVE-2020-16226
Multiple Mitsubishi Electric products are vulnerable to impersonations of a legitimate device by a malicious actor, which may allow an attacker to remotely execute arbitrary commands. Múltiples productos de Mitsubishi Electric, son vulnerables a suplantaciones de un dispositivo legítimo por parte de un actor malicioso, lo que puede permitir a un atacante ejecutar comandos arbitrarios remotamente This vulnerability allows remote attackers to execute arbitrary code on affected installations of Mitsubishi Electric MELSEC iQ-F. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of ACK packets. When generating ACK packets, the application uses a predictable sequence number. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current process. • https://us-cert.cisa.gov/ics/advisories/icsa-20-245-01 • CWE-342: Predictable Exact Value from Previous Values •
CVE-2020-5527
https://notcve.org/view.php?id=CVE-2020-5527
When MELSOFT transmission port (UDP/IP) of Mitsubishi Electric MELSEC iQ-R series (all versions), MELSEC iQ-F series (all versions), MELSEC Q series (all versions), MELSEC L series (all versions), and MELSEC F series (all versions) receives massive amount of data via unspecified vectors, resource consumption occurs and the port does not process the data properly. As a result, it may fall into a denial-of-service (DoS) condition. The vendor states this vulnerability only affects Ethernet communication functions. Cuando el puerto de transmisión de MELSOFT (UDP/IP) de la serie Mitsubishi Electric MELSEC iQ-R (todas las versiones), la serie MELSEC iQ-F (todas las versiones), la serie MELSEC Q (todas las versiones), la serie MELSEC L (todas las versiones) y la serie MELSEC F (todas las versiones), recibe una cantidad masiva de datos por medio de vectores no especificados, un consumo de recursos se presenta y el puerto no procesa los datos apropiadamente. Como resultado, puede caer en una condición de denegación de servicio (DoS). • https://jvn.jp/en/vu/JVNVU91553662/index.html https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2019-005_en.pdf • CWE-400: Uncontrolled Resource Consumption •