Description:

Mitsubishi Electric has released security updates to address multiple vulnerabilities in the following products:

• GOT2000 models GT27, GT25, GT23
  • All communication driver versions between 01.19.000 and 01.39.010. These versions are affected when using the “MODBUS/TCP Slave, Gateway” communication driver.
• GT SoftGOT2000
  • All versions between 1.170C and 1.256S. These versions are affected when configured to use “MODBUS/TCP Slave”
• GOT2000 series
  • GT27 model: VNC server
    • Versions 01.39.010 and prior
  • GT25 model: VNC server
    • Versions 01.39.010 and prior
  • GT21 model: 
    • GT2107-WTBD: VNC server
      • Versions 01.40.000 and prior
    • GT2107-WTSD: VNC server
      • Versions 01.40.000 and prior
• GOT SIMPLE series
  • GS21 model
    • GS2110-WTBD-N: VNC server
      • Versions 01.40.000 and prior
    • GS2107-WTBD-N: VNC server
      • Versions 01.40.000 and prior
• C Controller Interface Module Utility
  • all versions
• C Controller Module Setting and Monitoring Tool
  • all versions
• CC-Link IE Control Network Data Collector
  • all versions
• CC-Link IE Field Network Data Collector
  • all versions
• CPU Module Logging Configuration Tool
  • Versions 1.100E and prior
• CW Configurator
  • Versions 1.010L and prior
• Data Transfer
  • Versions 3.42U and prior
• EZSocket
  • version 5.1 and prior
• FR Configurator SW3
  • all versions
• FR Configurator2
  • all versions
• GT Designer2 Classic
  • all versions
• GT Designer3 Version1 (GOT1000)
  • Versions 1.241B and prior
• GT Designer3 Version1 (GOT2000)
  • Versions 1.241B and prior
• GT SoftGOT1000 Version3
  • Versions 3.200J and prior
• GT SoftGOT2000 Version1
  • Versions 1.241B and prior
• GX Developer
  • Versions 8.504A and prior
• GX LogViewer
  • Versions 1.100E and prior
• GX Works2
  • all versions
• GX Works3
  • Versions 1.063R and prior
• M_CommDTM-IO-Link
  • all versions
• MELFA-Works
  • all versions
• MELSEC WinCPU Setting Utility
  • all versions
• MELSOFT Complete Clean Up Tool
  • all versions
• MELSOFT EM Software Development Kit
  • all versions
• MELSOFT iQ AppPortal
  • 1.17T and prior
• MELSOFT Navigator
  • all versions
• MI Configurator
  • all versions
• Motion Control Setting
  • Versions 1.005F and prior
• Motorizer
  • Versions 1.005F and prior
• MR Configurator2
  • all versions
• MT Works2
  • all versions
• MTConnect Data Collector
  • all versions
• MX Component
  • Version 4.20W and prior
• MX MESInterface
  • Versions 1.21X and prior
• MX MESInterface-R
  • Versions 1.12N and prior
• MX Sheet
  • Version 2.15R and prior
• Network Interface Board CC IE Control Utility
  • all versions
• Network Interface Board CC IE Field Utility
  • all versions
• Network Interface Board CC-Link Ver.2 Utility
  • all versions
• Network Interface Board MNETH Utility
  • all versions
• Position Board utility 2
  • all versions
• PX Developer
  • version 1.53F and prior
• RT ToolBox2
  • all versions
• RT ToolBox3
  • all versions
• Setting/monitoring tools for the C Controller module
  • all versions
• SLMP Data Collector
  • all versions

Threats:

Attackers could exploit these vulnerabilities by doing the following:

• Triggering a Denial of service attack (DoS)
• Gain unauthorized access

Best practice and Recommendations:

The CERT team encourages users to review Mitsubishi Electric security advisory:

• https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-007_en.pdf
• https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-007_en.pdf