id: 3328
title: 'RVD#3328: Privilege Escalation and DoS on several Mitsubishi products.'
type: Vulnerability
description: A permissions issue in GX Works 2 & 3 and MELSOFT could allow an attacker
to escalate privilege and execute malicious programs, which could cause a denial-of-service
condition, and allow information to be disclosed, tampered with, and/or destroyed.
cwe: CWE-275
cve: CVE-2020-14496
keywords:
- Mitsubishi, DoS, Privilege escalation
system:
- GX Works2, GX Works3, MELSOFT
vendor: Mitsubishi Electric Corporation
severity:
rvss-score: 8.9
rvss-vector: RVSS:1.0/AV:RN/AC:H/PR:N/UI:R/S:C/Y:T/C:H/I:H/A:H/H:U
severity-description: high
cvss-score: 8.3
cvss-vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
links:
- https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B
- https://github.com/aliasrobotics/RVD/issues/3328
flaw:
phase: runtime-operation
specificity: subject-specific
architectural-location: application-specific code
application: GX Works2, GX Works3, MELSOFT
subsystem: N/A
package: N/A
languages: N/A
date-detected: '2020-08-03'
detected-by: Patxi Mayoral (Alias Robotics)
detected-by-method: testing-dynamic
date-reported: '2020-08-20'
reported-by: Patxi Mayoral (Alias Robotics)
reported-by-relationship: security-researcher
issue: https://github.com/aliasrobotics/RVD/issues/3328
reproducibility: always
trace: N/A
reproduction: Not Disclosed
reproduction-image: Not Disclosed
exploitation:
description: A Path traversal exploitation can lead to non authorized reading of
arbitrary files, cause a denial-of-service condition, and allow execution of a
malicious binary by a malicious third party.
exploitation-image: Not Disclosed
exploitation-vector: Not Disclosed
exploitation-recipe: ''
mitigation:
description: Download the latest version of each software product and update it.
pull-request: https://www.mitsubishielectric.com/fa/#software
date-mitigation: null