Details of VAR-202006-1511

ID

VAR-202006-1511

CVE

CVE-2020-5594

TITLE

Made by Mitsubishi Electric MELSEC iQ-R , iQ-F , Q , L , FX Of the series CPU With the unit GX Works3 and GX Works2 Vulnerability in plaintext communication between

Trust: 0.8

sources: JVNDB: JVNDB-2020-005854

DESCRIPTION

Mitsubishi Electric MELSEC iQ-R, iQ-F, Q, L, and FX series CPU modules all versions contain a vulnerability that allows cleartext transmission of sensitive information between CPU modules and GX Works3 and/or GX Works2 via unspecified vectors. Mitsubishi Electric MELSEC iQ-R series, etc. are all a programmable logic controller of Japan's Mitsubishi Electric (Mitsubishi Electric) company. There are security vulnerabilities in many Mitsubishi Electric products. The vulnerabilities stem from the use of clear text communication between the CPU module and GX Works3 or GX Works2. Attackers can use the vulnerabilities to eavesdrop or tamper with communication data, perform unauthorized operations, and cause denial of service

Trust: 2.25

sources: NVD: CVE-2020-5594 // JVNDB: JVNDB-2020-005854 // CNVD: CNVD-2020-46802 // VULMON: CVE-2020-5594

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-46802

AFFECTED PRODUCTS

vendor:	mitsubishielectric	model:	melsec-q	scope:	eq	version:	*	Trust: 1.0
vendor:	mitsubishielectric	model:	melsec-l	scope:	eq	version:	*	Trust: 1.0
vendor:	mitsubishielectric	model:	melsec iq-f	scope:	eq	version:	*	Trust: 1.0
vendor:	mitsubishielectric	model:	melsec-fx	scope:	eq	version:	*	Trust: 1.0
vendor:	mitsubishielectric	model:	melsec iq-r	scope:	eq	version:	*	Trust: 1.0
vendor:	mitsubishi electric	model:	melsec fx series	scope:	eq	version:	の cpu ユニット全て	Trust: 0.8
vendor:	mitsubishi electric	model:	melsec iq-f series	scope:	eq	version:	の cpu ユニット全て	Trust: 0.8
vendor:	mitsubishi electric	model:	melsec iq-r series	scope:	eq	version:	の cpu ユニット全て	Trust: 0.8
vendor:	mitsubishi electric	model:	melsec l series	scope:	eq	version:	の cpu ユニット全て	Trust: 0.8
vendor:	mitsubishi electric	model:	melsec q series	scope:	eq	version:	の cpu ユニット全て	Trust: 0.8
vendor:	mitsubishi	model:	electric melsec fx	scope:	-	version:	-	Trust: 0.6
vendor:	mitsubishi	model:	electric melsec iq-r	scope:	-	version:	-	Trust: 0.6
vendor:	mitsubishi	model:	electric melsec iq-f	scope:	-	version:	-	Trust: 0.6
vendor:	mitsubishi	model:	electric melsec q	scope:	-	version:	-	Trust: 0.6
vendor:	mitsubishi	model:	electric melsec l	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2020-46802 // JVNDB: JVNDB-2020-005854 // NVD: CVE-2020-5594

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-5594
value:	CRITICAL
Trust: 1.0
IPA:	JVNDB-2020-005854
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2020-46802
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202006-1590
value:	CRITICAL
Trust: 0.6
VULMON:	CVE-2020-5594
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2020-5594
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
CNVD:	CNVD-2020-46802
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-5594
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
IPA score:	JVNDB-2020-005854
baseSeverity:	CRITICAL
baseScore:	10
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-46802 // VULMON: CVE-2020-5594 // JVNDB: JVNDB-2020-005854 // CNNVD: CNNVD-202006-1590 // NVD: CVE-2020-5594

PROBLEMTYPE DATA

problemtype:

CWE-319

Trust: 1.0

sources: NVD: CVE-2020-5594

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202006-1590

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202006-1590

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-005854

PATCH

title:

MELSEC iQ-R、iQ-F、Q、L、FXシリーズのCPUユニットとGX Works3およびGX Works2間の通信に、情報漏えい、情報改ざん、不正操作、サービス拒否(DoS)の脆弱性

url:

https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-003.pdf

Trust: 0.8

sources: JVNDB: JVNDB-2020-005854

EXTERNAL IDS

db:	NVD	id:	CVE-2020-5594	Trust: 3.1
db:	JVN	id:	JVNVU91424496	Trust: 2.5
db:	ICS CERT	id:	ICSA-20-175-01	Trust: 2.0
db:	JVNDB	id:	JVNDB-2020-005854	Trust: 1.4
db:	CNVD	id:	CNVD-2020-46802	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.2176	Trust: 0.6
db:	CNNVD	id:	CNNVD-202006-1590	Trust: 0.6
db:	VULMON	id:	CVE-2020-5594	Trust: 0.1

sources: CNVD: CNVD-2020-46802 // VULMON: CVE-2020-5594 // JVNDB: JVNDB-2020-005854 // CNNVD: CNNVD-202006-1590 // NVD: CVE-2020-5594

REFERENCES

url:	https://jvn.jp/en/vu/jvnvu91424496/index.html	Trust: 1.7
url:	https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-003.pdf	Trust: 1.7
url:	https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-003_en.pdf	Trust: 1.7
url:	https://www.us-cert.gov/ics/advisories/icsa-20-175-01	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5594	Trust: 0.8
url:	http://jvn.jp/cert/jvnvu91424496	Trust: 0.8
url:	https://us-cert.cisa.gov/ics/advisories/icsa-20-175-01	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-5594	Trust: 0.6
url:	https://jvndb.jvn.jp/en/contents/2020/jvndb-2020-005854.html	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.2176/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/319.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2020-46802 // VULMON: CVE-2020-5594 // JVNDB: JVNDB-2020-005854 // CNNVD: CNNVD-202006-1590 // NVD: CVE-2020-5594

CREDITS

Shunkai Zhu , Rongkuan Ma , Peng Cheng from NESC Lab of Zhejiang University

Trust: 0.6

sources: CNNVD: CNNVD-202006-1590

SOURCES

db:	CNVD	id:	CNVD-2020-46802
db:	VULMON	id:	CVE-2020-5594
db:	JVNDB	id:	JVNDB-2020-005854
db:	CNNVD	id:	CNNVD-202006-1590
db:	NVD	id:	CVE-2020-5594

LAST UPDATE DATE

2024-11-23T22:33:25.234000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-46802	date:	2020-08-19T00:00:00
db:	VULMON	id:	CVE-2020-5594	date:	2020-07-01T00:00:00
db:	JVNDB	id:	JVNDB-2020-005854	date:	2020-06-24T00:00:00
db:	CNNVD	id:	CNNVD-202006-1590	date:	2020-07-09T00:00:00
db:	NVD	id:	CVE-2020-5594	date:	2024-11-21T05:34:19.893

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-46802	date:	2020-08-19T00:00:00
db:	VULMON	id:	CVE-2020-5594	date:	2020-06-23T00:00:00
db:	JVNDB	id:	JVNDB-2020-005854	date:	2020-06-24T00:00:00
db:	CNNVD	id:	CNNVD-202006-1590	date:	2020-06-23T00:00:00
db:	NVD	id:	CVE-2020-5594	date:	2020-06-23T08:15:10.487