CVE-2023-4088 – Malicious Code Execution Vulnerability in FA Engineering Software Products
https://notcve.org/view.php?id=CVE-2023-4088
Incorrect Default Permissions vulnerability in Mitsubishi Electric Corporation multiple FA engineering software products allows a malicious local attacker to execute a malicious code, resulting in information disclosure, tampering with and deletion, or a denial-of-service (DoS) condition, if the product is installed in a folder other than the default installation folder. Vulnerabilidad de Permisos Predeterminados Incorrectos debido a una solución incompleta para abordar CVE-2020-14496 en los productos de software de ingeniería de Mitsubishi Electric Corporation FA permite que un atacante local malicioso ejecute un código malicioso, lo que podría resultar en la divulgación, manipulación y eliminación de información, o una condición de denegación fuera de servicio (DoS). Sin embargo, si la versión mitigada descrita en el aviso para CVE-2020-14496 se utiliza y se instala en la carpeta de instalación predeterminada, esta vulnerabilidad no afecta a los productos. • https://jvn.jp/vu/JVNVU96447193/index.html https://www.cisa.gov/news-events/ics-advisories/icsa-23-269-03 https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-010_en.pdf • CWE-276: Incorrect Default Permissions •
CVE-2023-3373
https://notcve.org/view.php?id=CVE-2023-3373
Predictable Exact Value from Previous Values vulnerability in Mitsubishi Electric Corporation GOT2000 Series GT21 model versions 01.49.000 and prior and GOT SIMPLE Series GS21 model versions 01.49.000 and prior allows a remote unauthenticated attacker to hijack data connections (session hijacking) or prevent legitimate users from establishing data connections (to cause DoS condition) by guessing the listening port of the data connection on FTP server and connecting to it. • https://jvn.jp/vu/JVNVU92167394/index.html https://www.cisa.gov/news-events/ics-advisories/icsa-23-215-01 https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-006_en.pdf • CWE-330: Use of Insufficiently Random Values CWE-342: Predictable Exact Value from Previous Values •
CVE-2023-0525
https://notcve.org/view.php?id=CVE-2023-0525
Weak Encoding for Password vulnerability in Mitsubishi Electric Corporation GOT2000 Series GT27 model versions 01.49.000 and prior, GT25 model versions 01.49.000 and prior, GT23 model versions 01.49.000 and prior, GT21 model versions 01.49.000 and prior, GOT SIMPLE Series GS25 model versions 01.49.000 and prior, GS21 model versions 01.49.000 and prior, GT Designer3 Version1 (GOT2000) versions 1.295H and prior and GT SoftGOT2000 versions 1.295H and prior allows a remote unauthenticated attacker to obtain plaintext passwords by sniffing packets containing encrypted passwords and decrypting the encrypted passwords, in the case of transferring data with GT Designer3 Version1(GOT2000) and GOT2000 Series or GOT SIMPLE Series with the Data Transfer Security function enabled, or in the case of transferring data by the SoftGOT-GOT link function with GT SoftGOT2000 and GOT2000 series with the Data Transfer Security function enabled. Vulnerabilidad Weak Encoding for Password en Mitsubishi Electric Corporation GOT2000 Series modelo GT27 versiones 01.49.000 y anteriores, modelo GT25 versiones 01.49.000 y anteriores, modelo GT23 versiones 01.49.000 y anteriores, modelo GT21 versiones 01.49.000 y anteriores, serie GOT SIMPLE modelo GS25 versiones 01.49.000 y anteriores, modelo GS21 versiones 01.49.000 y anteriores, GT Designer3 Version1 (GOT2000) versiones 1.295H y anteriores, y GT SoftGOT2000 versiones 1.295H y anteriores, permite a un atacante remoto no autenticado obtener contraseñas en texto plano al espiar paquetes que contienen contraseñas cifradas y descifrar las contraseñas cifradas. Esto ocurre en el caso de la transferencia de datos con GT Designer3 Version1 (GOT2000) y GOT2000 Series o GOT SIMPLE Series con la función de Seguridad de Transferencia de Datos habilitada, o en el caso de la transferencia de datos mediante la función de enlace SoftGOT-GOT con GT SoftGOT2000 y GOT2000 series con la función de Seguridad de Transferencia de Datos habilitada. • https://jvn.jp/vu/JVNVU95285923/index.html https://www.cisa.gov/news-events/ics-advisories/icsa-23-215-02 https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-008_en.pdf • CWE-261: Weak Encoding for Password CWE-326: Inadequate Encryption Strength •
CVE-2023-3346 – Denial of Service (DoS) and Remote Code Execution Vulnerability in MITSUBISHI CNC Series
https://notcve.org/view.php?id=CVE-2023-3346
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in MITSUBSHI CNC Series allows a remote unauthenticated attacker to cause Denial of Service (DoS) condition and execute arbitrary code on the product by sending specially crafted packets. In addition, system reset is required for recovery. • https://jvn.jp/vu/JVNVU90352157/index.html https://www.cisa.gov/news-events/ics-advisories/icsa-23-208-03 https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-007_en.pdf • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVE-2023-2846 – Authentication Bypass Vulnerability in MELSEC-F Series main module
https://notcve.org/view.php?id=CVE-2023-2846
Authentication Bypass by Capture-replay vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series main modules allows a remote unauthenticated attacker to cancel the password/keyword setting and login to the affected products by sending specially crafted packets. • https://jvn.jp/vu/JVNVU94519952 https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-04 https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-005_en.pdf • CWE-294: Authentication Bypass by Capture-replay •