CVE Vulnerabilities

CVE-2020-14521

Incorrect Default Permissions

Published: Feb 11, 2022 | Modified: Nov 07, 2023
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
7.5 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu

Multiple Mitsubishi Electric Factory Automation engineering software products have a malicious code execution vulnerability. A malicious attacker could use this vulnerability to obtain information, modify information, and cause a denial-of-service condition.

Weakness

During installation, installed file permissions are set to allow anyone to modify those files.

Affected Software

Name Vendor Start Version End Version
C_controller_interface_module_utility Mitsubishielectric * *
C_controller_module_setting_and_monitoring_tool Mitsubishielectric * *
Cc-link_ie_control_network_data_collector Mitsubishielectric 1.00a (including) 1.00a (including)
Cc-link_ie_field_network_data_collector Mitsubishielectric 1.00a (including) 1.00a (including)
Cc-link_ie_tsn_data_collector Mitsubishielectric 1.00a (including) 1.00a (including)
Cpu_module_logging_configuration_tool Mitsubishielectric * 1.100e (including)
Cw_configurator Mitsubishielectric * 1.010l (including)
Data_transfer Mitsubishielectric * 3.42u (including)
Ezsocket Mitsubishielectric * 5.1 (including)
Fr_configurator_sw3 Mitsubishielectric * *
Fr_configurator2 Mitsubishielectric * *
Gt_designer2_classic Mitsubishielectric * *
Gt_softgot1000 Mitsubishielectric 3.0 (including) 3.200j (including)
Gt_softgot2000 Mitsubishielectric 1.0 (including) 1.241b (including)
Gx_developer Mitsubishielectric * 8.504a (including)
Gx_logviewer Mitsubishielectric * 1.100e (including)
Gx_works2 Mitsubishielectric * 1.601b (including)
Gx_works3 Mitsubishielectric * 1.063r (including)
M_commdtm-io-link Mitsubishielectric * *
Melfa-works Mitsubishielectric * 4.4 (including)
Melsec_wincpu_setting_utility Mitsubishielectric * *
Melsoft_complete_clean_up_tool Mitsubishielectric * 1.06g (including)
Melsoft_em_software_development_kit Mitsubishielectric * *
Melsoft_iq_appportal Mitsubishielectric * 1.17t (including)
Melsoft_navigator Mitsubishielectric * 2.74c (including)
Mi_configurator Mitsubishielectric * *
Motion_control_setting Mitsubishielectric * 1.005f (including)
Motorizer Mitsubishielectric * 1.005f (including)
Mr_configurator2 Mitsubishielectric * 1.125f (including)
Mt_works2 Mitsubishielectric * 1.167z (including)
Mtconnect_data_collector Mitsubishielectric * 1.1.4.0 (including)
Mx_component Mitsubishielectric * 4.20w (including)
Mx_mesinterface Mitsubishielectric * 1.21x (including)
Mx_mesinterface-r Mitsubishielectric * 1.12n (including)
Mx_sheet Mitsubishielectric * 2.15r (including)
Position_board_utility_2 Mitsubishielectric * *
Px_developer Mitsubishielectric * 1.53f (including)
Rt_toolbox2 Mitsubishielectric * 3.73b (including)
Rt_toolbox3 Mitsubishielectric * 1.82l (including)
Setting/monitoring_tools_for_the_c_controller_module Mitsubishielectric * *
Slmp_data_collector Mitsubishielectric * 1.04e (including)

Potential Mitigations

  • Compartmentalize the system to have “safe” areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

References