- EXECUTIVE SUMMARY
CVSS v3 9.3
NOTE: Low attack complexity
Vendor: Mitsubishi Electric
Product: FA Engineering Software Solutions
Vulnerability: Improper Default Permissions
2. RISK ASSESSMENT
Exploiting this vulnerability successfully could enable a local attacker to execute code, potentially leading to information exposure, unauthorized data alterations, or triggering a denial-of-service (DoS) scenario.
3. TECHNICAL SPECIFICATIONS
3.1 IMPACTED PRODUCTS
The subsequent versions of Mitsubishi Electric’s FA Engineering Software Solutions are affected:
GX Works3: All releases
3.2 Vulnerability Overview
3.2.1 IMPROPER DEFAULT PERMISSIONS CWE-276
In all iterations of Mitsubishi Electric’s GX Works3, there exists a potential for code execution due to permission-related issues. This could grant an attacker the ability to cause information exposure, unauthorized data alterations, or induce a denial-of-service (DoS) condition.
CVE-2023-4088 has been assigned to this vulnerability. The CVSS v3 base score has been computed at 9.3, with the CVSS vector string noted as (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
GLOBALLY DEPLOYED: Worldwide
CORPORATE HEADQUARTERS: Japan
01dGu0 from ZHEJIANG QIAN INFORMATION & TECHNOLOGY CO., LTD reported this vulnerability to Mitsubishi Electric.
Mitsubishi Electric advises customers to implement the following mitigation measures to minimize the potential exploitation of this vulnerability:
Ensure the installation of the version outlined in the Mitsubishi Electric advisory is in the default installation directory. If a deviation from the default is necessary, select a directory accessible only by users with Administrator privileges.
Deploy antivirus software on computers utilizing the affected product.
Use computers with the affected product exclusively within the LAN, and restrict remote login from untrusted networks, hosts, and users.
When connecting your computer with the affected product to the Internet, employ a firewall, virtual private network (VPN), etc., and permit remote login only for trusted users.
Exercise caution when handling untrusted files or clicking on unfamiliar links.
For additional information, refer to the Mitsubishi security advisory.
CISA strongly recommends users implement defensive measures to minimize the vulnerability’s exploitation risk. Additionally, organizations are reminded to conduct thorough impact analysis and risk assessment before deploying defensive strategies.
CISA also offers a section on control systems security best practices on the ICS webpage at cisa.gov/ics. Numerous CISA products detailing best practices for cybersecurity defense are available for reading and download, including resources on Enhancing Industrial Control Systems Cybersecurity with Multi-Layered Defensive Strategies.
CISA encourages organizations to adopt recommended cybersecurity strategies for proactive protection of ICS assets.