Number: AV20-278
Date: 4 August 2020
On 30 July 2020 US-CERT published Advisories to highlight vulnerabilities in multiple Mitsubishi Electric Products:
- Mitsubishi Electric Factory Automation Engineering Products:
- C Controller Interface Module Utility, all versions
- C Controller Module Setting and Monitoring Tool, all versions
- CC-Link IE Control Network Data Collector, all versions
- CC-Link IE Field Network Data Collector, all versions
- CPU Module Logging Configuration Tool, Versions 1.100E and prior
- CW Configurator, Versions 1.010L and prior
- Data Transfer, all versions
- EZSocket, all versions
- FR Configurator SW3, all versions
- FR Configurator2, all versions
- GT Designer2 Classic, all versions
- GT Designer3 Version1 (GOT1000), all versions
- GT Designer3 Version1 (GOT2000), all versions
- GT SoftGOT1000 Version3, all versions
- GT SoftGOT2000 Version1, all versions
- GX Developer, Versions 8.504A and prior
- GX LogViewer, Versions 1.100E and prior
- GX Works2, all versions
- GX Works3, Versions 1.063R and prior
- M_CommDTM-IO-Link, all versions
- MELFA-Works, all versions
- MELSEC WinCPU Setting Utility, all versions
- MELSOFT Complete Clean Up Tool, all versions
- MELSOFT EM Software Development Kit, all versions
- MELSOFT iQ AppPortal, all versions
- MELSOFT Navigator, all versions
- MI Configurator, all versions
- Motion Control Setting, Versions 1.005F and prior
- Motorizer, Versions 1.005F and prior
- MR Configurator2, all versions
- MT Works2, all versions
- MTConnect Data Collector, all versions
- MX Component, all versions
- MX MESInterface, all versions
- MX MESInterface-R, all versions
- MX Sheet, all versions
- Network Interface Board CC IE Control Utility, all versions
- Network Interface Board CC IE Field Utility, all versions
- Network Interface Board CC-Link Ver.2 Utility, all versions
- Network Interface Board MNETH Utility, all versions
- Position Board utility 2, all versions
- PX Developer, all versions
- RT ToolBox2, all versions
- RT ToolBox3, all versions
- Setting/monitoring tools for the C Controller module, all versions
- SLMP Data Collector, all versions
- Mitsubishi Electric Factory Automation Products:
- CW Configurator,Versions 1.010L and prior
- FR Configurator2, Versions 1.22Y and prior
- GX Works2, Versions 1.595V and prior
- GX Works3, Versions 1.063R and prior
- MELSEC iQ-R Series Motion Module, all versions
- MELSOFT iQ AppPortal, all versions
- MELSOFT Navigator, all versions
- MI Configurator, all versions
- MR Configurator2, all versions
- MT Works2, Versions 1.156N and prior
- MX Component, all versions
- RT ToolBox3, Versions 1.70Y and prior
- Mitsubishi Electric Multiple Factory Automation Engineering Software Products:
- CPU Module Logging Configuration Tool, versions 1.100E and prior
- CW Configurator, versions 1.010L and prior
- Data Transfer, versions 3.40S and prior
- EZSocket, versions 4.5 and prior
- FR Configurator2, versions 1.22Y and prior
- GT Designer3 Version1 (GOT2000), versions 1.235V and prior
- GT SoftGOT1000 Version3, all versions
- GT SoftGOT2000 Version1, versions 1.235V and prior
- GX LogViewer, versions 1.100E and prior
- GX Works2, versions 1.592S and prior
- GX Works3, versions 1.063R and prior
- M_CommDTM-HART, version 1.00A
- M_CommDTM-IO-Link, all versions
- MELFA-Works, versions 4.3 and prior
- MELSEC WinCPU Setting Utility, all versions
- MELSOFT EM Software Development Kit (EM Configurator), versions 1.010L and prior
- MELSOFT FieldDeviceConfigurator, versions 1.03D and prior
- MELSOFT Navigator, versions 2.62Q and prior
- MH11 SettingTool Version2, versions 2.002C and prior
- MI Configurator, all versions
- Motorizer, versions 1.005F and prior
- MR Configurator2, versions 1.105K and prior
- MT Works2, versions 1.156N and prior
- MX Component, versions 4.19V and prior
- Network Interface Board CC IE Control utility, all versions
- Network Interface Board CC IE Field Utility, all versions
- Network Interface Board CC-Link Ver.2 Utility, all versions
- Network Interface Board MNETH utility, all versions
- PX Developer, versions 1.52E and prior
- RT ToolBox2, versions 3.72A and prior
- RT ToolBox3, versions 1.70Y and prior
- Setting/monitoring tools for the C Controller module, all versions
Exploitation of some of these vulnerabilities could allow an actor to escalate privilege, execute malicious programs, cause a denial-of-service condition and disclose, tamper with or destroy information.
The Cyber Centre encourages users and administrators to review the provided web links, perform the suggested mitigations and apply the necessary manufacturer updates:
Mitsubishi Electric Factory Automation Engineering Products
https://us-cert.cisa.gov/ics/advisories/icsa-20-212-04
Mitsubishi Electric Factory Automation Products
https://us-cert.cisa.gov/ics/advisories/icsa-20-212-03
Mitsubishi Electric Multiple Factory Automation Engineering Software Products
https://us-cert.cisa.gov/ics/advisories/icsa-20-212-02
Note to Readers
The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment. We are Canada’s national authority on cyber security and we lead the government’s response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure , Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.