1. EXECUTIVE SUMMARY
- CVSS v3 6.5
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Mitsubishi Electric
- Equipment: MELSEC iQ-R Series Safety CPU and SIL2 Process CPU Module
- Vulnerability: Incorrect Privilege Assignment
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow a non-administrator user to disclose the credentials (user ID and password) of a user with a lower access level than themselves.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Mitsubishi Electric reports that the following MELSEC iQ-R Series products are affected:
- MELSEC iQ-R Series Safety CPU R08SFCPU: All versions
- MELSEC iQ-R Series Safety CPU R16SFCPU: All versions
- MELSEC iQ-R Series Safety CPU R32SFCPU: All versions
- MELSEC iQ-R Series Safety CPU R120SFCPU: All versions
- MELSEC iQ-R Series SIL2 Process CPU R08PSFCPU: All versions
- MELSEC iQ-R Series SIL2 Process CPU R16PSFCPU: All versions
- MELSEC iQ-R Series SIL2 Process CPU R32PSFCPU: All versions
- MELSEC iQ-R Series SIL2 Process CPU R120PSFCPU: All versions
3.2 Vulnerability Overview
3.2.1 INCORRECT PRIVILEGE ASSIGNMENT CWE-266
Information disclosure vulnerability due to incorrect privilege assignment exists in MELSEC iQ-R Series Safety CPU and SIL2 Process CPU modules. After a remote attacker logs into the CPU module as a non-administrator user, the attacker may disclose the credentials (user ID and password) of a user with a lower access level than the attacker by sending a specially crafted packet.
CVE-2023-6815 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: