CVE Vulnerabilities

CVE-2020-14521

Unquoted Search Path or Element

Published: Feb 11, 2022 | Modified: Nov 21, 2024
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
7.5 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu

Multiple Mitsubishi Electric Factory Automation engineering software products have a malicious code execution vulnerability. A malicious attacker could use this vulnerability to obtain information, modify information, and cause a denial-of-service condition.

Weakness

The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.

Affected Software

Name Vendor Start Version End Version
C_controller_interface_module_utility Mitsubishielectric * *
C_controller_module_setting_and_monitoring_tool Mitsubishielectric * *
Cc-link_ie_control_network_data_collector Mitsubishielectric 1.00a (including) 1.00a (including)
Cc-link_ie_field_network_data_collector Mitsubishielectric 1.00a (including) 1.00a (including)
Cc-link_ie_tsn_data_collector Mitsubishielectric 1.00a (including) 1.00a (including)
Cpu_module_logging_configuration_tool Mitsubishielectric * 1.100e (including)
Cw_configurator Mitsubishielectric * 1.010l (including)
Data_transfer Mitsubishielectric * 3.42u (including)
Ezsocket Mitsubishielectric * 5.1 (including)
Fr_configurator_sw3 Mitsubishielectric * *
Fr_configurator2 Mitsubishielectric * *
Gt_designer2_classic Mitsubishielectric * *
Gt_softgot1000 Mitsubishielectric 3.0 (including) 3.200j (including)
Gt_softgot2000 Mitsubishielectric 1.0 (including) 1.241b (including)
Gx_developer Mitsubishielectric * 8.504a (including)
Gx_logviewer Mitsubishielectric * 1.100e (including)
Gx_works2 Mitsubishielectric * 1.601b (including)
Gx_works3 Mitsubishielectric * 1.063r (including)
M_commdtm-io-link Mitsubishielectric * *
Melfa-works Mitsubishielectric * 4.4 (including)
Melsec_wincpu_setting_utility Mitsubishielectric * *
Melsoft_complete_clean_up_tool Mitsubishielectric * 1.06g (including)
Melsoft_em_software_development_kit Mitsubishielectric * *
Melsoft_iq_appportal Mitsubishielectric * 1.17t (including)
Melsoft_navigator Mitsubishielectric * 2.74c (including)
Mi_configurator Mitsubishielectric * *
Motion_control_setting Mitsubishielectric * 1.005f (including)
Motorizer Mitsubishielectric * 1.005f (including)
Mr_configurator2 Mitsubishielectric * 1.125f (including)
Mt_works2 Mitsubishielectric * 1.167z (including)
Mtconnect_data_collector Mitsubishielectric * 1.1.4.0 (including)
Mx_component Mitsubishielectric * 4.20w (including)
Mx_mesinterface Mitsubishielectric * 1.21x (including)
Mx_mesinterface-r Mitsubishielectric * 1.12n (including)
Mx_sheet Mitsubishielectric * 2.15r (including)
Position_board_utility_2 Mitsubishielectric * *
Px_developer Mitsubishielectric * 1.53f (including)
Rt_toolbox2 Mitsubishielectric * 3.73b (including)
Rt_toolbox3 Mitsubishielectric * 1.82l (including)
Setting/monitoring_tools_for_the_c_controller_module Mitsubishielectric * *
Slmp_data_collector Mitsubishielectric * 1.04e (including)

Potential Mitigations

  • Assume all input is malicious. Use an “accept known good” input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, “boat” may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as “red” or “blue.”
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code’s environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

References