1. EXECUTIVE SUMMARY
- CVSS v3 6.0
- ATTENTION: Low attack complexity
- Vendor: Mitsubishi Electric
- Equipment: Multiple FA Engineering Software Products
- Vulnerabilities: Improper Privilege Management, Uncontrolled Resource Consumption, Out-of-bounds Write, Improper Privilege Management
2. RISK EVALUATION
Successful exploitation of these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition and/or to gain Windows system privileges and execute arbitrary commands.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Mitsubishi Electric reports the following versions of FA Engineering Software Products are affected:
- CPU Module Logging Configuration Tool: All versions
- CSGL (GX Works2 connection configuration): All versions
- CW Configurator: All versions
- Data Transfer: All versions
- Data Transfer Classic: All versions
- EZSocket (communication middleware product for Mitsubishi Electric partner companies): All versions
- FR Configurator SW3: All versions
- FR Configurator2: All versions
- GENESIS64: All versions
- GT Designer3 Version1 (GOT1000): All versions
- GT Designer3 Version1 (GOT2000): All versions
- GT SoftGOT1000 Version3: All versions
- GT SoftGOT2000 Version1: All versions
- GX Developer: All versions
- GX LogViewer: All versions
- GX Works2: All versions
- GX Works3: All versions
- iQ Works (MELSOFT Navigator): All versions
- MI Configurator: All versions
- Mitsubishi Electric Numerical Control Device Communication Software (FCSB1224): All versions
- MR Configurator (SETUP221): All versions
- MR Configurator2: All versions
- MRZJW3-MC2-UTL: All versions
- MX Component: All versions
- MX OPC Server DA/UA (Software packaged with MC Works64): All versions
- PX Developer/Monitor Tool: All versions
- RT ToolBox3: All versions
- RT VisualBox: All versions
- Setting/monitoring tools for the C Controller module (SW4PVC-CCPU): All versions
- SW0DNC-MNETH-B: All versions
- SW1DNC-CCBD2-B: All versions
- SW1DNC-CCIEF-J: All versions
- SW1DNC-CCIEF-B: All versions
- SW1DNC-MNETG-B: All versions
- SW1DNC-QSCCF-B: All versions
- SW1DND-EMSDK-B All versions
3.2 Vulnerability Overview
3.2.1 Improper Privilege Management CWE-269
If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to gain Windows system privileges and execute arbitrary commands.
CVE-2023-51776 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2023-51776. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
3.2.2 Uncontrolled Resource Consumption CWE-400
If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition.
CVE-2023-51777 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2023-51777. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.3 Out-of-bounds Write CWE-787
If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition.
CVE-2023-51778 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2023-51778. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.4 Uncontrolled Resource Consumption CWE-400
If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition.
CVE-2024-22102 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2024-22102. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.5 Out-of-bounds Write CWE-787
If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition.
CVE-2024-22103 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2024-22103. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.6 Out-of-bounds Write CWE-787
If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition.
CVE-2024-22104 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2024-22104. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.7 Uncontrolled Resource Consumption CWE-400
If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition.
CVE-2024-22105 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2024-22105. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.8 Improper Privilege Management CWE-269
If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition and/or to gain Windows system privileges and execute arbitrary commands.
CVE-2024-22106 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.0 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-22106. A base score of 4.4 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.9 Improper Privilege Management CWE-269
If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to gain Windows system privileges and execute arbitrary commands.
CVE-2024-25086 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2024-25086. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
3.2.10 Uncontrolled Resource Consumption CWE-400
If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to cause a Windows blue screen error that results in a denial-of-service condition.
CVE-2024-25087 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2024-25087. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.11 Improper Privilege Management CWE-269
If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to gain Windows system privileges and execute arbitrary commands.
CVE-2024-25088 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2024-25088. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
3.2.12 Improper Privilege Management CWE-269
If a malicious code is executed on a computer where the affected software product is installed, these vulnerabilities may allow a local attacker to gain Windows system privileges and execute arbitrary commands.
CVE-2024-26314 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2024-26314. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Japan
3.4 RESEARCHER
Jongseong Kim, Byunghyun Kang, Sangjun Park, Yunjin Park, Kwon Yul, and Seungchan Kim reported these vulnerabilities to Mitsubishi Electric.
4. MITIGATIONS
Mitsubishi Electric recommends that users take the following mitigation measures to minimize the risk of exploiting these vulnerabilities:
- Restrict physical access to the computer using the product.
- Install an antivirus software in your computer using the affected product.
- Don’t open untrusted files or click untrusted links.
For additional information see Mitsubishi Electric advisory 2024-001.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely. These vulnerabilities have a high attack complexity.
5. UPDATE HISTORY
- May 14, 2024: Initial Publication