CVE-2020-14521

Multiple Mitsubishi Electric Factory Automation engineering software products have a malicious code execution vulnerability. A malicious attacker could use this vulnerability to obtain information, modify information, and cause a denial-of-service condition.

Weakness

During installation, installed file permissions are set to allow anyone to modify those files.

Affected Software

Name	Vendor	Start Version	End Version
C_controller_interface_module_utility	Mitsubishielectric	*	*
C_controller_module_setting_and_monitoring_tool	Mitsubishielectric	*	*
Cc-link_ie_control_network_data_collector	Mitsubishielectric	1.00a (including)	1.00a (including)
Cc-link_ie_field_network_data_collector	Mitsubishielectric	1.00a (including)	1.00a (including)
Cc-link_ie_tsn_data_collector	Mitsubishielectric	1.00a (including)	1.00a (including)
Cpu_module_logging_configuration_tool	Mitsubishielectric	*	1.100e (including)
Cw_configurator	Mitsubishielectric	*	1.010l (including)
Data_transfer	Mitsubishielectric	*	3.42u (including)
Ezsocket	Mitsubishielectric	*	5.1 (including)
Fr_configurator_sw3	Mitsubishielectric	*	*
Fr_configurator2	Mitsubishielectric	*	*
Gt_designer2_classic	Mitsubishielectric	*	*
Gt_softgot1000	Mitsubishielectric	3.0 (including)	3.200j (including)
Gt_softgot2000	Mitsubishielectric	1.0 (including)	1.241b (including)
Gx_developer	Mitsubishielectric	*	8.504a (including)
Gx_logviewer	Mitsubishielectric	*	1.100e (including)
Gx_works2	Mitsubishielectric	*	1.601b (including)
Gx_works3	Mitsubishielectric	*	1.063r (including)
M_commdtm-io-link	Mitsubishielectric	*	*
Melfa-works	Mitsubishielectric	*	4.4 (including)
Melsec_wincpu_setting_utility	Mitsubishielectric	*	*
Melsoft_complete_clean_up_tool	Mitsubishielectric	*	1.06g (including)
Melsoft_em_software_development_kit	Mitsubishielectric	*	*
Melsoft_iq_appportal	Mitsubishielectric	*	1.17t (including)
Melsoft_navigator	Mitsubishielectric	*	2.74c (including)
Mi_configurator	Mitsubishielectric	*	*
Motion_control_setting	Mitsubishielectric	*	1.005f (including)
Motorizer	Mitsubishielectric	*	1.005f (including)
Mr_configurator2	Mitsubishielectric	*	1.125f (including)
Mt_works2	Mitsubishielectric	*	1.167z (including)
Mtconnect_data_collector	Mitsubishielectric	*	1.1.4.0 (including)
Mx_component	Mitsubishielectric	*	4.20w (including)
Mx_mesinterface	Mitsubishielectric	*	1.21x (including)
Mx_mesinterface-r	Mitsubishielectric	*	1.12n (including)
Mx_sheet	Mitsubishielectric	*	2.15r (including)
Position_board_utility_2	Mitsubishielectric	*	*
Px_developer	Mitsubishielectric	*	1.53f (including)
Rt_toolbox2	Mitsubishielectric	*	3.73b (including)
Rt_toolbox3	Mitsubishielectric	*	1.82l (including)
Setting/monitoring_tools_for_the_c_controller_module	Mitsubishielectric	*	*
Slmp_data_collector	Mitsubishielectric	*	1.04e (including)

Potential Mitigations

Compartmentalize the system to have “safe” areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

NVD	https://nvd.nist.gov/vuln/detail/CVE-2020-14521
CWE	https://cwe.mitre.org/data/definitions/276.html

Incorrect Default Permissions

Weakness

Affected Software

Potential Mitigations

References

CVE-2020-14521

Incorrect Default Permissions

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References