ID

VAR-202010-0395


CVE

CVE-2020-16226


TITLE

of multiple Mitsubishi Electric products  TCP  Session management flaw in protocol stack

Trust: 0.8

sources: JVNDB: JVNDB-2020-008251

DESCRIPTION

Multiple Mitsubishi Electric products are vulnerable to impersonations of a legitimate device by a malicious actor, which may allow an attacker to remotely execute arbitrary commands. of multiple Mitsubishi Electric products TCP A vulnerability in session management exists in the protocol stack. This vulnerability information is provided by the developer for the purpose of dissemination to product users. Authentication is not required to exploit this vulnerability.The specific flaw exists within the processing of ACK packets. When generating ACK packets, the application uses a predictable sequence number. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current process. Mitsubishi Electric gt14 model是日本三菱电机(Mitsubishi Electric)公司的一个用于工业生产过程中提供人机交互界面的设备. Mitsubishi Electric 多个产品存在命令执行漏洞,该漏洞允许攻击者冒充合法设备,从而使攻击者能够远程执行任意命令。以下产品和版本受到影响:QJ71MES96 all versions,QJ71WS96 all versions,Q06CCPU-V all versions,Q24DHCCPU-V all versions,Q24DHCCPU-VG all versions,R12CCPU-V Version 13 and prior,RD55UP06-V Version 09 and prior,RD55UP12-V Version 01,RJ71GN11-T2 Version 11 and prior,RJ71EN71 all versions,QJ71E71-100 all versions,LJ71E71-100 all versions,QJ71MT91 all versions,RD78Gn(n=4,8,16,32,64) all versions,RD78GHV all versions,RD78GHW all versions,NZ2GACP620-60 all versions,NZ2GACP620-300 all versions,NZ2FT-MT all versions,NZ2FT-EIP all versions,Q03UDECPU the first 5 digits of serial number 22081 and prior,QnUDEHCPU(n=04/06/10/13/20/26/50/100) the first 5 digits of serial number 22081 and prior,QnUDVCPU(n=03/04/06/13/26) the first 5 digits of serial number 22031 and prior,QnUDPVCPU(n=04/06/13/26) the first 5 digits of serial number 22031 and prior,LnCPU(-P)(n=02/06/26) the first 5 digits of serial number 22051 and prior,L26CPU-(P)BT the first 5 digits of serial number 22051 and prior,RnCPU(n=00/01/02) Version 18 and prior,RnCPU(n=04/08/16/32/120) Version 50 and prior,RnENCPU(n=04/08/16/32/120) Version 50 and prior,RnSFCPU (n=08/16/32/120) Version 22 and prior,RnPCPU(n=08/16/32/120) Version 24 and prior,RnPSFCPU(n=08/16/32/120) Version 05 and prior,FX5U(C)-**M*/**,FX5UC-32M*/**-TS Version 1.210 and prior,FX5UJ-**M*/** Version 1.000,FX5-ENET Version 1.002 and prior,FX5-ENET/IP Version 1.002 and prior,FX3U-ENET-ADP Version 1.22 and prior,FX3GE-**M*/** the first 3 digits of serial number 20X and prior,FX3U-ENET Version 1.14 and prior,FX3U-ENET-L Version 1.14 and prior,FX3U-ENET-P502 Version 1.14 and prior,FX5-CCLGN-MS Version 1.000,IU1-1M20-D all versions,LE7-40GU-L all versions,GOT2000 Series GT21 Model all versions,GS Series all versions,GOT1000 Series GT14 Model all versions,GT25-J71GN13-T2 all versions,FR-A800-E Series production date December 2020 and prior,FR-F800-E Series production date December 2020 and prior,FR-A8NCG Production date August 2020 and prior,FR-E800-EPA Series Production date July 2020 and prior,FR-E800-EPB Series Production date July 2020 and prior,Conveyor Tracking Application APR-nTR3FH APR-nTR6FH APR-nTR12FH APR-nTR20FH(n=1,2) all versions (Discontinued product),MR-JE-C all versions,MR-J4-TM all versions

Trust: 2.88

sources: NVD: CVE-2020-16226 // JVNDB: JVNDB-2020-008251 // ZDI: ZDI-20-1207 // CNNVD: CNNVD-202009-074 // VULMON: CVE-2020-16226

AFFECTED PRODUCTS

vendor:mitsubishielectricmodel:qj71mes96scope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fx3u-enetscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fr-a8ncgescope:lteversion:2020-08

Trust: 1.0

vendor:mitsubishielectricmodel:rd55up12-vscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:q24dhccpu-vgscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:conveyor tracking application apr-ntr12fhscope:eqversion: -

Trust: 1.0

vendor:mitsubishielectricmodel:fx3g-60mt\/essscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fr-a842-escope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:nz2gacp620-60scope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fx3g-14mt\/dssscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:nz2ft-eipscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:qnudehcpu\scope:lteversion:22081

Trust: 1.0

vendor:mitsubishielectricmodel:q03udecpuscope:lteversion:22081

Trust: 1.0

vendor:mitsubishielectricmodel:fx3g-24mt\/dssscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:qj71mt91scope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fx5uj-60mt\/essscope:eqversion:1.000

Trust: 1.0

vendor:mitsubishielectricmodel:rnsfcpu \scope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fx5uj-24mt\/essscope:eqversion:1.000

Trust: 1.0

vendor:mitsubishielectricmodel:rncpu\ tscope:lteversion:18

Trust: 1.0

vendor:mitsubishielectricmodel:fx3g-14mt\/essscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fx5uc-32mt\/dscope:eqversion:1.210

Trust: 1.0

vendor:mitsubishielectricmodel:fx3g-32 mt\/dssscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:le7-40gu-lscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:gt25-j71gn13-t2scope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:conveyor tracking application apr-ntr6fhscope:eqversion: -

Trust: 1.0

vendor:mitsubishielectricmodel:rnpcpu\scope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:rnpsfcpu\scope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:l26cpu-\ btscope:lteversion:22051

Trust: 1.0

vendor:mitsubishielectricmodel:fx3g-40mt\/dssscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:nz2gacp620-300scope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fx3g-14mr\/esscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:got1000 series gt14scope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fx5uj-60mt\/esscope:eqversion:1.000

Trust: 1.0

vendor:mitsubishielectricmodel:fx3g-40mr\/dsscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:qnudpvcpu\scope:lteversion:22031

Trust: 1.0

vendor:mitsubishielectricmodel:q24dhccpu-vscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fx3g-60mr\/esscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fr-f842-escope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:rd78ghwscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:rncpu\scope:lteversion:50

Trust: 1.0

vendor:mitsubishielectricmodel:fx3g-14mr\/dsscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fx5uj-40mt\/essscope:eqversion:1.000

Trust: 1.0

vendor:mitsubishielectricmodel:rj71en71scope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fx3g-24mt\/essscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fr-a862-escope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fx5uj-40mt\/esscope:eqversion:1.000

Trust: 1.0

vendor:mitsubishielectricmodel:mr-j4-tmscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fr-f862-escope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fx5-cclgn-msscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:iu1-1m20-dscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fr-f840-escope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fx3g-24mr\/dsscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fx5-enet-adpscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fr-a820-escope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fr-f820-escope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fx3g-40mr\/esscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fr-e800-epascope:lteversion:2020-07

Trust: 1.0

vendor:mitsubishielectricmodel:fx5uj-24mt\/esscope:eqversion:1.000

Trust: 1.0

vendor:mitsubishielectricmodel:fx5uc-32mr\/ds-tsscope:eqversion:1.210

Trust: 1.0

vendor:mitsubishielectricmodel:rnencpu\scope:lteversion:50

Trust: 1.0

vendor:mitsubishielectricmodel:lj71e71-100scope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:mr-je-cscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fx3u-enet-p502scope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fx5uj-60mr\/esscope:eqversion:1.000

Trust: 1.0

vendor:mitsubishielectricmodel:fx5uc-32mt\/dssscope:eqversion:1.210

Trust: 1.0

vendor:mitsubishielectricmodel:fx5uj-40mr\/esscope:eqversion:1.000

Trust: 1.0

vendor:mitsubishielectricmodel:fx5uj-24mr\/esscope:eqversion:1.000

Trust: 1.0

vendor:mitsubishielectricmodel:qj71ws96scope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:rd78ghvscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fx3g-60mt\/dssscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fx3u-enet-lscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:rd78gn\scope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:conveyor tracking application apr-ntr20fh\scope:eqversion: -

Trust: 1.0

vendor:mitsubishielectricmodel:conveyor tracking application apr-ntr3fhscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:rd55up06-vscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:rj71gn11-t2scope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:lncpu\ \scope:lteversion:22051

Trust: 1.0

vendor:mitsubishielectricmodel:q06ccpu-vscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fx5uc-32mt\/dss-tsscope:eqversion:1.210

Trust: 1.0

vendor:mitsubishielectricmodel:fx5-enet\/ipscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fr-a840-escope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fr-e800-epbscope:lteversion:2020-07

Trust: 1.0

vendor:mitsubishielectricmodel:qnudvcpu\scope:lteversion:22031

Trust: 1.0

vendor:mitsubishielectricmodel:fx3g-60mr\/dsscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fr-a860-escope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:got2000 series gt21scope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fr-f860-escope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:r12ccpu-vscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fx5uc-32mt\/ds-tsscope:eqversion:1.210

Trust: 1.0

vendor:mitsubishielectricmodel:nz2ft-mtscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:qj71e71-100scope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fx5-enetscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fx3g-40mt\/essscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:fx3g-24mr\/esscope:eqversion:*

Trust: 1.0

vendor:mitsubishielectricmodel:got simple series gs21scope:eqversion:*

Trust: 1.0

vendor:三菱電機model:(複数の製品)scope:eqversion:(multiple products)

Trust: 0.8

vendor:三菱電機model:(複数の製品)scope:eqversion:it was * ac the servo melservo

Trust: 0.8

vendor:三菱電機model:(複数の製品)scope:eqversion:it was * lossnay central ventilation system

Trust: 0.8

vendor:三菱電機model:(複数の製品)scope:eqversion:it was * display got

Trust: 0.8

vendor:三菱電機model:(複数の製品)scope:eqversion: -

Trust: 0.8

vendor:三菱電機model:(複数の製品)scope:eqversion:it was * air conditioning control system / centralized controller

Trust: 0.8

vendor:三菱電機model:(複数の製品)scope:eqversion:it was * air conditioning control system / expansion controller

Trust: 0.8

vendor:三菱電機model:(複数の製品)scope:eqversion:it was * energy measurement unit

Trust: 0.8

vendor:三菱電機model:(複数の製品)scope:eqversion:affected products s vary widely. for more information, please check the information provided by the developer.

Trust: 0.8

vendor:三菱電機model:(複数の製品)scope:eqversion:it was * range hood fan

Trust: 0.8

vendor:三菱電機model:(複数の製品)scope:eqversion:it was * data collection analyzer melqic

Trust: 0.8

vendor:三菱電機model:(複数の製品)scope:eqversion:it was * hems compatible adapter, lan adapter

Trust: 0.8

vendor:三菱電機model:(複数の製品)scope:eqversion:it was * air conditioning control system / bm adapter

Trust: 0.8

vendor:三菱電機model:(複数の製品)scope:eqversion:it was * room air conditioner

Trust: 0.8

vendor:三菱電機model:(複数の製品)scope:eqversion:it was * bath drying/heating/ventilation system

Trust: 0.8

vendor:三菱電機model:(複数の製品)scope:eqversion:it was * solar power system color monitor eco guide

Trust: 0.8

vendor:三菱電機model:(複数の製品)scope:eqversion:it was * ventilation fan for duct

Trust: 0.8

vendor:三菱電機model:(複数の製品)scope:eqversion:it was * tension controller

Trust: 0.8

vendor:三菱電機model:(複数の製品)scope:eqversion:it was * inverter freqrol

Trust: 0.8

vendor:三菱電機model:(複数の製品)scope:eqversion:it was * mitsubishi energy saving dem monitoring server e-energy

Trust: 0.8

vendor:三菱電機model:(複数の製品)scope:eqversion:it was * robot melfa

Trust: 0.8

vendor:mitsubishi electricmodel:melsec iq-fscope: - version: -

Trust: 0.7

sources: ZDI: ZDI-20-1207 // JVNDB: JVNDB-2020-008251 // NVD: CVE-2020-16226

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-16226
value: CRITICAL

Trust: 1.0

NVD: CVE-2020-16226
value: HIGH

Trust: 0.8

ZDI: CVE-2020-16226
value: CRITICAL

Trust: 0.7

CNNVD: CNNVD-202009-074
value: CRITICAL

Trust: 0.6

VULMON: CVE-2020-16226
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2020-16226
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

nvd@nist.gov: CVE-2020-16226
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2020-16226
baseSeverity: HIGH
baseScore: 7.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

ZDI: CVE-2020-16226
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-20-1207 // VULMON: CVE-2020-16226 // JVNDB: JVNDB-2020-008251 // CNNVD: CNNVD-202009-074 // NVD: CVE-2020-16226

PROBLEMTYPE DATA

problemtype:CWE-342

Trust: 1.0

problemtype:Lack of information (CWE-noinfo) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2020-008251 // NVD: CVE-2020-16226

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202009-074

TYPE

Command execution

Trust: 0.6

sources: CNNVD: CNNVD-202009-074

PATCH

title:of our products TCP Spoofing Vulnerability in Protocol Stackurl:https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-009.pdf

Trust: 0.8

title:Mitsubishi Electric has issued an update to correct this vulnerability.url:https://us-cert.cisa.gov/ics/advisories/icsa-20-245-01

Trust: 0.7

title:mitsubishielectric Fixes for remote command execution vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=127702

Trust: 0.6

sources: ZDI: ZDI-20-1207 // JVNDB: JVNDB-2020-008251 // CNNVD: CNNVD-202009-074

EXTERNAL IDS

db:NVDid:CVE-2020-16226

Trust: 3.2

db:ICS CERTid:ICSA-20-245-01

Trust: 2.5

db:JVNid:JVNVU93926439

Trust: 0.8

db:JVNDBid:JVNDB-2020-008251

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-10966

Trust: 0.7

db:ZDIid:ZDI-20-1207

Trust: 0.7

db:AUSCERTid:ESB-2020.3041

Trust: 0.6

db:AUSCERTid:ESB-2022.4767

Trust: 0.6

db:CNNVDid:CNNVD-202009-074

Trust: 0.6

db:VULMONid:CVE-2020-16226

Trust: 0.1

sources: ZDI: ZDI-20-1207 // VULMON: CVE-2020-16226 // JVNDB: JVNDB-2020-008251 // CNNVD: CNNVD-202009-074 // NVD: CVE-2020-16226

REFERENCES

url:https://us-cert.cisa.gov/ics/advisories/icsa-20-245-01

Trust: 3.8

url:https://jvn.jp/vu/jvnvu93926439/

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2020.3041/

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2020-16226

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.4767

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/342.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://www.cisa.gov/uscert/ics/advisories/icsa-20-245-01

Trust: 0.1

sources: ZDI: ZDI-20-1207 // VULMON: CVE-2020-16226 // JVNDB: JVNDB-2020-008251 // CNNVD: CNNVD-202009-074 // NVD: CVE-2020-16226

CREDITS

Ta-Lun Yen of TXOne IoT/ICS Security Research Labs (Trend Micro)

Trust: 0.7

sources: ZDI: ZDI-20-1207

SOURCES

db:ZDIid:ZDI-20-1207
db:VULMONid:CVE-2020-16226
db:JVNDBid:JVNDB-2020-008251
db:CNNVDid:CNNVD-202009-074
db:NVDid:CVE-2020-16226

LAST UPDATE DATE

2024-08-14T15:22:32.496000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-20-1207date:2020-09-17T00:00:00
db:VULMONid:CVE-2020-16226date:2020-10-22T00:00:00
db:JVNDBid:JVNDB-2020-008251date:2022-09-26T08:55:00
db:CNNVDid:CNNVD-202009-074date:2022-09-28T00:00:00
db:NVDid:CVE-2020-16226date:2020-10-22T18:59:52.350

SOURCES RELEASE DATE

db:ZDIid:ZDI-20-1207date:2020-09-08T00:00:00
db:VULMONid:CVE-2020-16226date:2020-10-05T00:00:00
db:JVNDBid:JVNDB-2020-008251date:2020-09-07T00:00:00
db:CNNVDid:CNNVD-202009-074date:2020-09-01T00:00:00
db:NVDid:CVE-2020-16226date:2020-10-05T18:15:13.133