CVE-2020-5647 - OpenCVE

Improper access control vulnerability in TCP/IP function included in the firmware of GT14 Model of GOT 1000 series (GT1455-QTBDE CoreOS version ’05.65.00.BD’ and earlier, GT1450-QMBDE CoreOS version ’05.65.00.BD’ and earlier, GT1450-QLBDE CoreOS version ’05.65.00.BD’ and earlier, GT1455HS-QTBDE CoreOS version ’05.65.00.BD’ and earlier, and GT1450HS-QMBDE CoreOS version ’05.65.00.BD’ and earlier) allows a remote unauthenticated attacker to stop the network functions of the products or execute a malicious program via a specially crafted packet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Mitsubishielectric	Gt1450-qlbde Gt1450-qmbde Coreos Gt1450hs-qmbde Gt1455hs-qtbde Gt1455-qtbde

Configuration 1 [-]

AND

cpe:2.3:o:mitsubishielectric:coreos:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:mitsubishielectric:gt1450-qlbde:-:::::::*
	cpe:2.3:h:mitsubishielectric:gt1450-qmbde:-:::::::*
	cpe:2.3:h:mitsubishielectric:gt1450hs-qmbde:-:::::::*
	cpe:2.3:h:mitsubishielectric:gt1455-qtbde:-:::::::*
	cpe:2.3:h:mitsubishielectric:gt1455hs-qtbde:-:::::::*

References

Link	Resource
https://jvn.jp/vu/JVNVU99562395/index.html	Third Party Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-20-310-02	Third Party Advisory US Government Resource
https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-014.pdf	Vendor Advisory
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-014_en.pdf	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: jpcert

Published: 2020-11-06T02:06:29

Updated: 2020-11-06T02:06:29

Reserved: 2020-01-06T00:00:00

Link: CVE-2020-5647

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-11-06T03:15:17.557

Modified: 2020-11-20T17:17:31.727

Link: CVE-2020-5647

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-Other

{"containers": {"cna": {"affected": [{"product": "GT14 Model of GOT 1000 series", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "(GT1455-QTBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, GT1450-QMBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, GT1450-QLBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, GT1455HS-QTBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, and GT1450HS-QMBDE CoreOS version \u201905.65.00.BD\u2019 and earlier)"}]}], "descriptions": [{"lang": "en", "value": "Improper access control vulnerability in TCP/IP function included in the firmware of GT14 Model of GOT 1000 series (GT1455-QTBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, GT1450-QMBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, GT1450-QLBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, GT1455HS-QTBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, and GT1450HS-QMBDE CoreOS version \u201905.65.00.BD\u2019 and earlier) allows a remote unauthenticated attacker to stop the network functions of the products or execute a malicious program via a specially crafted packet."}], "problemTypes": [{"descriptions": [{"description": "Fails to restrict access", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-11-06T02:06:29", "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-310-02"}, {"tags": ["x_refsource_MISC"], "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-014_en.pdf"}, {"tags": ["x_refsource_MISC"], "url": "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-014.pdf"}, {"tags": ["x_refsource_MISC"], "url": "https://jvn.jp/vu/JVNVU99562395/index.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vultures@jpcert.or.jp", "ID": "CVE-2020-5647", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "GT14 Model of GOT 1000 series", "version": {"version_data": [{"version_value": "(GT1455-QTBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, GT1450-QMBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, GT1450-QLBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, GT1455HS-QTBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, and GT1450HS-QMBDE CoreOS version \u201905.65.00.BD\u2019 and earlier)"}]}}]}, "vendor_name": "Mitsubishi Electric Corporation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Improper access control vulnerability in TCP/IP function included in the firmware of GT14 Model of GOT 1000 series (GT1455-QTBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, GT1450-QMBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, GT1450-QLBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, GT1455HS-QTBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, and GT1450HS-QMBDE CoreOS version \u201905.65.00.BD\u2019 and earlier) allows a remote unauthenticated attacker to stop the network functions of the products or execute a malicious program via a specially crafted packet."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Fails to restrict access"}]}]}, "references": {"reference_data": [{"name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-310-02", "refsource": "MISC", "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-310-02"}, {"name": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-014_en.pdf", "refsource": "MISC", "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-014_en.pdf"}, {"name": "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-014.pdf", "refsource": "MISC", "url": "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-014.pdf"}, {"name": "https://jvn.jp/vu/JVNVU99562395/index.html", "refsource": "MISC", "url": "https://jvn.jp/vu/JVNVU99562395/index.html"}]}}}}, "cveMetadata": {"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "assignerShortName": "jpcert", "cveId": "CVE-2020-5647", "datePublished": "2020-11-06T02:06:29", "dateReserved": "2020-01-06T00:00:00", "dateUpdated": "2020-11-06T02:06:29", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:mitsubishielectric:coreos:*:*:*:*:*:*:*:*", "matchCriteriaId": "44FA010C-360A-4DE4-8F59-C67EA0569B2A", "versionEndIncluding": "05.65.00.bd", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:mitsubishielectric:gt1450-qlbde:-:*:*:*:*:*:*:*", "matchCriteriaId": "F587B0E6-D2B1-47CC-80FE-8004698E4F71", "vulnerable": false}, {"criteria": "cpe:2.3:h:mitsubishielectric:gt1450-qmbde:-:*:*:*:*:*:*:*", "matchCriteriaId": "FF218A1A-4B6D-4510-80A7-CC22B8D027A4", "vulnerable": false}, {"criteria": "cpe:2.3:h:mitsubishielectric:gt1450hs-qmbde:-:*:*:*:*:*:*:*", "matchCriteriaId": "FE9E2C66-4742-4D50-A2AC-AE097BEF7CBE", "vulnerable": false}, {"criteria": "cpe:2.3:h:mitsubishielectric:gt1455-qtbde:-:*:*:*:*:*:*:*", "matchCriteriaId": "D2726AE6-8870-4FB3-B15C-88AAB26FBB9F", "vulnerable": false}, {"criteria": "cpe:2.3:h:mitsubishielectric:gt1455hs-qtbde:-:*:*:*:*:*:*:*", "matchCriteriaId": "3B4C3649-B5DF-4D62-A1EC-4A9DD2CA128A", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Improper access control vulnerability in TCP/IP function included in the firmware of GT14 Model of GOT 1000 series (GT1455-QTBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, GT1450-QMBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, GT1450-QLBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, GT1455HS-QTBDE CoreOS version \u201905.65.00.BD\u2019 and earlier, and GT1450HS-QMBDE CoreOS version \u201905.65.00.BD\u2019 and earlier) allows a remote unauthenticated attacker to stop the network functions of the products or execute a malicious program via a specially crafted packet."}, {"lang": "es", "value": "Vulnerabilidad de control de acceso inapropiado en la funci\u00f3n TCP/IP incluida en el firmware del modelo GT14 de la serie GOT 1000 (GT1455-QTBDE CoreOS versi\u00f3n '05 .65.00.BD' y anteriores, GT1450-QMBDE CoreOS versi\u00f3n '05 .65.00.BD' y anteriores , GT1450-QLBDE CoreOS versi\u00f3n '05 .65.00.BD' y anteriores, GT1455HS-QTBDE CoreOS versi\u00f3n '05 .65.00.BD' y anteriores, y GT1450HS-QMBDE CoreOS versi\u00f3n '05 .65.00.BD' y anteriores), permite a un atacante no autenticado remoto detener las funciones de red de los productos o ejecutar un programa malicioso por medio de un paquete especialmente dise\u00f1ado"}], "id": "CVE-2020-5647", "lastModified": "2020-11-20T17:17:31.727", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-11-06T03:15:17.557", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/vu/JVNVU99562395/index.html"}, {"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-310-02"}, {"source": "vultures@jpcert.or.jp", "tags": ["Vendor Advisory"], "url": "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-014.pdf"}, {"source": "vultures@jpcert.or.jp", "tags": ["Vendor Advisory"], "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-014_en.pdf"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}