Multiple vulnerabilities in Mitsubishi Electric GT14 Model of GOT1000 Series
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 6 |
| CVE-ID | CVE-2020-5644 CVE-2020-5645 CVE-2020-5646 CVE-2020-5647 CVE-2020-5648 CVE-2020-5649 |
| CWE-ID | CWE-119 CWE-384 CWE-476 CWE-284 CWE-88 CWE-399 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
GT1450-QMBDE Hardware solutions / Firmware GT1450-QLBDE Hardware solutions / Firmware GT1455HS-QTBDE Hardware solutions / Firmware GT1450HS-QMBDE Hardware solutions / Firmware CoreOS Hardware solutions / Firmware GT1455-QTBDE Hardware solutions / Firmware |
| Vendor | Mitsubishi Electric |
Security Bulletin
This security bulletin contains information about 6 vulnerabilities.
1) Buffer overflow
EUVDB-ID: #VU48534
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-5644
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error. A remote attacker can send a specially crafted packet, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGT1450-QMBDE: All versions
GT1450-QLBDE: All versions
GT1455HS-QTBDE: All versions
GT1450HS-QMBDE: All versions
CoreOS: 05.65.00
GT1455-QTBDE: All versions
CPE2.3- cpe:2.3:h:mitsubishi_electric:gt1450-qmbde:*:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:gt1450-qlbde:*:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:gt1455hs-qtbde:*:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:gt1450hs-qmbde:*:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:coreos:*:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:coreos:05.65.00:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:gt1455-qtbde:*:*:*:*:*:*:*:
http://jvn.jp/vu/JVNVU99562395/index.html
http://us-cert.cisa.gov/ics/advisories/icsa-20-310-02
http://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-014.pdf
http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-014_en.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Session Fixation
EUVDB-ID: #VU48535
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-5645
CWE-ID:
CWE-384 - Session Fixation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the session invalidation issue. A remote attacker can send a specially crafted packet and cause a denial of service condition on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGT1450-QMBDE: All versions
GT1450-QLBDE: All versions
GT1455HS-QTBDE: All versions
GT1450HS-QMBDE: All versions
CoreOS: 05.65.00
GT1455-QTBDE: All versions
CPE2.3- cpe:2.3:h:mitsubishi_electric:gt1450-qmbde:*:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:gt1450-qlbde:*:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:gt1455hs-qtbde:*:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:gt1450hs-qmbde:*:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:coreos:*:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:coreos:05.65.00:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:gt1455-qtbde:*:*:*:*:*:*:*:
http://jvn.jp/vu/JVNVU99562395/index.html
http://us-cert.cisa.gov/ics/advisories/icsa-20-310-02
http://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-014.pdf
http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-014_en.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) NULL Pointer Dereference
EUVDB-ID: #VU48536
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-5646
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error. A remote attacker can send a specially crafted packet and trigger denial of service condition on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGT1450-QMBDE: All versions
GT1450-QLBDE: All versions
GT1455HS-QTBDE: All versions
GT1450HS-QMBDE: All versions
CoreOS: 05.65.00
GT1455-QTBDE: All versions
CPE2.3- cpe:2.3:h:mitsubishi_electric:gt1450-qmbde:*:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:gt1450-qlbde:*:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:gt1455hs-qtbde:*:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:gt1450hs-qmbde:*:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:coreos:*:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:coreos:05.65.00:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:gt1455-qtbde:*:*:*:*:*:*:*:
http://jvn.jp/vu/JVNVU99562395/index.html
http://us-cert.cisa.gov/ics/advisories/icsa-20-310-02
http://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-014.pdf
http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-014_en.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper access control
EUVDB-ID: #VU48537
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-5647
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote attacker can send a specially crafted packet and gain unauthorized access to the application.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGT1450-QMBDE: All versions
GT1450-QLBDE: All versions
GT1455HS-QTBDE: All versions
GT1450HS-QMBDE: All versions
CoreOS: 05.65.00
GT1455-QTBDE: All versions
CPE2.3- cpe:2.3:h:mitsubishi_electric:gt1450-qmbde:*:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:gt1450-qlbde:*:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:gt1455hs-qtbde:*:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:gt1450hs-qmbde:*:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:coreos:*:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:coreos:05.65.00:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:gt1455-qtbde:*:*:*:*:*:*:*:
http://jvn.jp/vu/JVNVU99562395/index.html
http://us-cert.cisa.gov/ics/advisories/icsa-20-310-02
http://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-014.pdf
http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-014_en.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper Neutralization of Argument Delimiters in a Command
EUVDB-ID: #VU48538
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-5648
CWE-ID:
CWE-88 - Improper Neutralization of Argument Delimiters in a Command
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability due to improper neutralization of argument delimiters in a command. A remote attacker on the local network can send a specially crafted packet and cause a denial-of-service condition or execute arbitrary code.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGT1450-QMBDE: All versions
GT1450-QLBDE: All versions
GT1455HS-QTBDE: All versions
GT1450HS-QMBDE: All versions
CoreOS: 05.65.00
GT1455-QTBDE: All versions
CPE2.3- cpe:2.3:h:mitsubishi_electric:gt1450-qmbde:*:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:gt1450-qlbde:*:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:gt1455hs-qtbde:*:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:gt1450hs-qmbde:*:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:coreos:*:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:coreos:05.65.00:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:gt1455-qtbde:*:*:*:*:*:*:*:
http://jvn.jp/vu/JVNVU99562395/index.html
http://us-cert.cisa.gov/ics/advisories/icsa-20-310-02
http://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-014.pdf
http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-014_en.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Resource management error
EUVDB-ID: #VU48539
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-5649
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application. A remote attacker can send a specially crafted packet and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGT1450-QMBDE: All versions
GT1450-QLBDE: All versions
GT1455HS-QTBDE: All versions
GT1450HS-QMBDE: All versions
CoreOS: 05.65.00
GT1455-QTBDE: All versions
CPE2.3- cpe:2.3:h:mitsubishi_electric:gt1450-qmbde:*:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:gt1450-qlbde:*:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:gt1455hs-qtbde:*:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:gt1450hs-qmbde:*:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:coreos:*:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:coreos:05.65.00:*:*:*:*:*:*:
- cpe:2.3:h:mitsubishi_electric:gt1455-qtbde:*:*:*:*:*:*:*:
http://jvn.jp/vu/JVNVU99562395/index.html
http://us-cert.cisa.gov/ics/advisories/icsa-20-310-02
http://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-014.pdf
http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-014_en.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
