CVE-2021-20589

19.05.2021, 11:15

Buffer access with incorrect length value vulnerability in GOT2000 series GT27 model communication driver versions 01.19.000 through 01.38.000, GT25 model communication driver versions 01.19.000 through 01.38.000, GT23 model communication driver versions 01.19.000 through 01.38.000 and GT21 model communication driver versions 01.21.000 through 01.39.000, GOT SIMPLE series GS21 model communication driver versions 01.21.000 through 01.39.000, GT SoftGOT2000 versions 1.170C through 1.250L and Tension Controller LE7-40GU-L Screen package data for MODBUS/TCP V1.00 allows a remote unauthenticated attacker to stop the communication function of the products via specially crafted packets.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Mitsubishi	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 54%

Vendor	Product	Version
mitsubishi	gt27_firmware	01.19.000 ≤ 𝑥 ≤ 01.38.000
mitsubishi	gt25_firmware	01.19.000 ≤ 𝑥 ≤ 01.38.000
mitsubishi	gt23_firmware	01.19.000 ≤ 𝑥 ≤ 01.38.000
mitsubishi	gt21_firmware	01.21.000 ≤ 𝑥 ≤ 01.39.000
mitsubishi	gs21_firmware	01.21.000 ≤ 𝑥 ≤ 01.39.000
mitsubishi	gt_softgot2000_firmware	1.170c ≤ 𝑥 ≤ 1.250l

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

References

https://jvn.jp/vu/JVNVU99895108/index.html

https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-002_en.pdf

https://jvn.jp/vu/JVNVU99895108/index.html

https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-002_en.pdf