Mitsubishi’s GOT2000 series operator panels have six highly critical flaws which could allow remote code execution and complete takeover
Security researchers have found multiple vulnerabilities in the Mitsubishi Electric’s GOT2000 series operator panels, two of which are highly critical. The flaws exist in Mitsubishi GOT2000 model GT27, GT25, and GT23 and can let any potential hacker remotely take over any machine controlled through this series operator.
The two highly critical vulnerabilities are identified as CVE-2020-5598 and CVE-2020-5595 and were rated 9.8 on the CVSS v3 scale. CVE-2020-5598 allows any potential hacker to gain access to the controlling system. It can also allow the hacker to cause a system Denial of Service (DoS) or device malfunction. This vulnerability exists due to inadequate restrictions on access to the TCP/IP function, allowing remote hackers to gain unauthorized access to restricted functions by gaining access to the affected application.
The CVE-2020-5595 is basically a boundary error in the TCP/IP function that can allow potential hackers to remotely execute arbitrary code on the target system. Exploiting this flaw would allow hackers to take full control over the affected industrial plant.
The other four flaws are medium-risk ones. CVE-2020-5596 allows any hacker to exploit the session override in the TCP/IP feature. Hackers could remotely exploit this flaw to cause denial of service (DoS) attacks by sending specially crafted data packets.
The CVE-2020-5597 is A NULL pointer dereference flaw in the [email protected]’s TCP/IP function. While CVE-2020-5599 flaw exists due to incorrect neutralization of arguments in the command line within the TCP/IP function. The CVE-2020-5600 flaw is due to inadequate resource management in the TCP/IP function. All these three flaws are medium severity and allow remote threat actors to launch denial of service (DoS) attacks by sending specially crafted data packets.
Mitsubishi is aware of the flaws and has recommended that all users of the affected Mitsubishi GOT2000 models GT27, GT25, and GT23 should upgrade their operating system from CoreOS to the latest version.