CVE-2022-33323 – Authentication Bypass Vulnerability in Robot Controller of MELFA SD/SQ series and F-series
https://notcve.org/view.php?id=CVE-2022-33323
Active Debug Code vulnerability in robot controller of Mitsubishi Electric Corporation industrial robot MELFA SD/SQ Series and MELFA F-Series allows a remote unauthenticated attacker to gain unauthorized access by authentication bypass through an unauthorized telnet login. As for the affected model names, controller types and firmware versions, see the Mitsubishi Electric's advisory which is listed in [References] section. • https://jvn.jp/vu/JVNVU94588481/index.html https://www.cisa.gov/uscert/ics/advisories/icsa-23-026-05 https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-020_en.pdf • CWE-489: Active Debug Code •
CVE-2022-40267 – Authentication Bypass Vulnerability in Web Server Function on MELSEC Series
https://notcve.org/view.php?id=CVE-2022-40267
Predictable Seed in Pseudo-Random Number Generator (PRNG) vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-xMy/z (x=32,64,80, y=T,R, z=ES,DS,ESS,DSS) with serial number 17X**** or later, and versions 1.280 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-xMy/z (x=32,64,80, y=T,R, z=ES,DS,ESS,DSS) with serial number 179**** and prior, and versions 1.074 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-xMy/z (x=32,64,96, y=T, z=D,DSS)) with serial number 17X**** or later, and versions 1.280 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-xMy/z (x=32,64,96, y=T, z=D,DSS)) with serial number 179**** and prior, and versions 1.074 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-32MT/DS-TS versions 1.280 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-32MT/DSS-TS versions 1.280 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-xMy/z (x=24,40,60, y=T,R, z=ES,ESS) versions 1.042 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-xMy/ES-A (x=24,40,60, y=T,R) versions 1.043 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5S-xMy/z (x=30,40,60,80, y=T,R, z=ES,ESS) versions 1.003 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-32MR/DS-TS versions 1.280 and prior, Mitsubishi Electric Corporation MELSEC iQ-R Series R00/01/02CPU versions 33 and prior, Mitsubishi Electric Corporation MELSEC iQ-R Series R04/08/16/32/120(EN)CPU versions 66 and prior allows a remote unauthenticated attacker to access the Web server function by guessing the random numbers used for authentication from several used random numbers. • https://jvn.jp/vu/JVNVU99673580/index.html https://www.cisa.gov/uscert/ics/advisories/icsa-23-017-02 https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-019_en.pdf • CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG) •
CVE-2022-40265 – Denial of Service (DoS) Vulnerability in MELSEC iQ-R Series Ethernet Interface Module
https://notcve.org/view.php?id=CVE-2022-40265
Improper Input Validation vulnerability in Mitsubishi Electric Corporation MELSEC iQ-R Series RJ71EN71 Firmware version "65" and prior and Mitsubishi Electric Corporation MELSEC iQ-R Series R04/08/16/32/120ENCPU Network Part Firmware version "65" and prior allows a remote unauthenticated attacker to cause a Denial of Service condition by sending specially crafted packets. A system reset is required for recovery. Vulnerabilidad de Validación de Entrada Incorrecta en Mitsubishi Electric Corporation MELSEC iQ-R Series RJ71EN71 Versión de firmware "65" y anteriores y Mitsubishi Electric Corporation MELSEC iQ-R Series R04/08/16/32/120ENCPU Network Part Firmware versión "65" y anteriores permite una un atacante remoto no autenticado provoque una condición de Denegación de Servicio mediante el envío de paquetes especialmente manipulados. Es necesario reiniciar el sistema para la recuperación. • https://jvn.jp/vu/JVNVU94702422 https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-017_en.pdf • CWE-20: Improper Input Validation •
CVE-2022-29833
https://notcve.org/view.php?id=CVE-2022-29833
Insufficiently Protected Credentials vulnerability in Mitsubishi Electric Corporation GX Works3 versions 1.015R and later allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthenticated users could access to MELSEC safety CPU modules illgally. Vulnerabilidad de credenciales insuficientemente protegidas en Mitsubishi Electric Corporation GX Works3 versiones 1.015R y posteriores permite que un atacante remoto no autenticado revele información sensible. Como resultado, los usuarios no autenticados podrían acceder ilegalmente a los módulos de CPU de seguridad de MELSEC. • https://jvn.jp/vu/JVNVU97244961 https://www.cisa.gov/uscert/ics/advisories/icsa-22-333-05 https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-015_en.pdf • CWE-522: Insufficiently Protected Credentials •
CVE-2022-29832
https://notcve.org/view.php?id=CVE-2022-29832
Cleartext Storage of Sensitive Information in Memory vulnerability in Mitsubishi Electric Corporation GX Works3 versions 1.015R and later, GX Works2 all versions and GX Developer versions 8.40S and later allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthenticated users could obtain information about the project file for MELSEC safety CPU modules or project file for MELSEC Q/FX/L series with security setting. Vulnerabilidad de almacenamiento de texto sin cifrar de información confidencial en memoria en Mitsubishi Electric Corporation GX Works3 versiones 1.015R y posteriores, GX Works2 todas las versiones y GX Developer versiones 8.40S y posteriores permite que un atacante remoto no autenticado revele información sensible. Como resultado, los usuarios no autenticados podrían obtener información sobre el archivo de proyecto para los módulos de CPU de seguridad de MELSEC o el archivo de proyecto para la serie MELSEC Q/FX/L con configuración de seguridad. • https://jvn.jp/vu/JVNVU97244961 https://www.cisa.gov/uscert/ics/advisories/icsa-22-333-05 https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-015_en.pdf • CWE-312: Cleartext Storage of Sensitive Information CWE-316: Cleartext Storage of Sensitive Information in Memory •