(I)IoT Security News
Critical vulnerabiliities, Cyber Security, Data breach, Exploit, Hacks, ICS, Industrial IoT (IIoT), IoT Security, Vulnerabilities

Mitsubishi Electric GOT and Tension Controller (Update A)

GOT2000 Series

1. EXECUTIVE SUMMARY

——— Begin Update A Part 1 of 2 ———

Mitsubishi Electric PSIRT has informed CISA that further research has shown the vulnerabilities listed in this advisory do not impact the devices listed below. Mitsubishi Electric will be removing its vulnerability notice from its website on April 7, 2022. Any questions regarding this new information should be directed to Mitsubishi Electric.

——— End Update A Part 1 of 2 ———

2. UPDATE INFORMATION

This updated advisory is a follow-up to the original advisory titled ICSA-21-278-01 Mitsubishi Electric GOT and Tension Controller that was published October 5, 2021, to the ICS webpage on www.cisa.gov/uscert.

3. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition by sending specially crafted packets.

4. TECHNICAL DETAILS

4.1 AFFECTED PRODUCTS

The following Mitsubishi Electric products are affected:

4.2 VULNERABILITY OVERVIEW

4.2.1    IMPROPER HANDLING OF EXCEPTIONAL CONDITIONS CWE-755

An attacker could send specially crafted packets cause to cause several different denial-of-service conditions due to the improper handling of exceptional conditions.

CVE-2021-20602 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

4.2.2    IMPROPER INPUT VALIDATION CWE-20

An attacker could send specially crafted packets cause to cause several different denial-of-service conditions in the TCP-IP protocol stack of GOT and Tension Controller.

CVE-2021-20603 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

4.2.3    IMPROPER INPUT VALIDATION CWE-20

An attacker could send specially crafted packets cause to cause several different denial-of-service conditions in the TCP-IP protocol stack of GOT and Tension Controller.

CVE-2021-20604 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

4.2.4    IMPROPER INPUT VALIDATION CWE-20

An attacker could send specially crafted packets cause to cause several different denial-of-service conditions in the TCP-IP protocol stack of GOT and Tension Controller.

CVE-2021-20605 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

4.3 BACKGROUND

4.4 RESEARCHER

Mitsubishi Electric reported these vulnerabilities to CISA.

5. MITIGATIONS

——— Begin Update A Part 2 of 2 ———

Mitsubishi Electric PSIRT has informed CISA that further research has shown the vulnerabilities listed in this advisory do not impact the devices listed below and no mitigation access is required. Mitsubishi Electric will be removing its vulnerability notice from its website on April 7, 2022. Any questions regarding this new information should be directed to Mitsubishi Electric support.

——— End Update A Part 2 of 2 ———

Source:

https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-01

Related posts

Siemens SCALANCE, SIMATIC, RUGGEDCOM, and SINAMICS Products (Update E)

(I) IoT
6 years ago

Cisco addresses a critical bug in ASR 9000 series Routers

(I) IoT
6 years ago

Siemens SIPROTEC 4 and SIPROTEC Compact

(I) IoT
5 years ago
Exit mobile version