search

aliasrobotics / RVD

Robot Vulnerability Database. An archive of robot vulnerabilities and bugs.
https://aliasrobotics.com
GNU General Public License v3.0
168 stars 30 forks source link

RVD#3328: Privilege Escalation and DoS on several Mitsubishi products. #3328

Closed glerapic closed 3 years ago

glerapic commented 3 years ago 
id: 3328
title: 'RVD#3328: Privilege Escalation and DoS on several Mitsubishi products.'
type: Vulnerability
description: A permissions issue in GX Works 2 & 3 and MELSOFT could allow an attacker
  to escalate privilege and execute malicious programs, which could cause a denial-of-service
  condition, and allow information to be disclosed, tampered with, and/or destroyed.
cwe: CWE-275
cve: CVE-2020-14496
keywords:
- Mitsubishi, DoS, Privilege escalation
system:
- GX Works2, GX Works3, MELSOFT
vendor: Mitsubishi Electric Corporation
severity:
  rvss-score: 8.9
  rvss-vector: RVSS:1.0/AV:RN/AC:H/PR:N/UI:R/S:C/Y:T/C:H/I:H/A:H/H:U
  severity-description: high
  cvss-score: 8.3
  cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
links:
- https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B
- https://github.com/aliasrobotics/RVD/issues/3328
flaw:
  phase: runtime-operation
  specificity: subject-specific
  architectural-location: application-specific code
  application: GX Works2, GX Works3, MELSOFT
  subsystem: N/A
  package: N/A
  languages: N/A
  date-detected: '2020-08-03'
  detected-by: Patxi Mayoral (Alias Robotics)
  detected-by-method: testing-dynamic
  date-reported: '2020-08-20'
  reported-by: Patxi Mayoral (Alias Robotics)
  reported-by-relationship: security-researcher
  issue: https://github.com/aliasrobotics/RVD/issues/3328
  reproducibility: always
  trace: N/A
  reproduction: Not Disclosed
  reproduction-image: Not Disclosed
exploitation:
  description: A Path traversal exploitation can lead to non authorized reading of
    arbitrary files, cause a denial-of-service condition, and allow execution of a
    malicious binary by a malicious third party.
  exploitation-image: Not Disclosed
  exploitation-vector: Not Disclosed
  exploitation-recipe: ''
mitigation:
  description: Download the latest version of each software product and update it.
  pull-request: https://www.mitsubishielectric.com/fa/#software
  date-mitigation: null
vmayoral commented 3 years ago

If mitigated we should close this ticket. Proceeding.