CVE-2023-6815

Incorrect Privilege Assignment vulnerability in Mitsubishi Electric Corporation MELSEC iQ-R Series Safety CPU R08/16/32/120SFCPU all versions and MELSEC iQ-R Series SIL2 Process CPU R08/16/32/120PSFCPU all versions allows a remote authenticated attacker who has logged into the product as a non-administrator user to disclose the credentials (user ID and password) of a user with a lower access level than the attacker by sending a specially crafted packet.
References
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:mitsubishielectric:r08sfcpu_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:mitsubishielectric:r08sfcpu:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:mitsubishielectric:r16sfcpu_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:mitsubishielectric:r16sfcpu:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:mitsubishielectric:r32sfcpu_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:mitsubishielectric:r32sfcpu:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:mitsubishielectric:r120sfcpu_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:mitsubishielectric:r120sfcpu:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:mitsubishielectric:r08psfcpu_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:mitsubishielectric:r08psfcpu:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:mitsubishielectric:r16psfcpu_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:mitsubishielectric:r16psfcpu:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:mitsubishielectric:r32psfcpu_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:mitsubishielectric:r32psfcpu:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:mitsubishielectric:r120psfcpu_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:mitsubishielectric:r120psfcpu:-:*:*:*:*:*:*:*

History

22 Oct 2024, 12:58

Type Values Removed Values Added
CPE cpe:2.3:h:mitsubishielectric:r08sfcpu:-:*:*:*:*:*:*:*
cpe:2.3:h:mitsubishielectric:r120sfcpu:-:*:*:*:*:*:*:*
cpe:2.3:o:mitsubishielectric:r08sfcpu_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:mitsubishielectric:r120psfcpu:-:*:*:*:*:*:*:*
cpe:2.3:h:mitsubishielectric:r32psfcpu:-:*:*:*:*:*:*:*
cpe:2.3:o:mitsubishielectric:r120psfcpu_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:mitsubishielectric:r32psfcpu_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:mitsubishielectric:r16sfcpu_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:mitsubishielectric:r08psfcpu:-:*:*:*:*:*:*:*
cpe:2.3:o:mitsubishielectric:r32sfcpu_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:mitsubishielectric:r16sfcpu:-:*:*:*:*:*:*:*
cpe:2.3:o:mitsubishielectric:r16psfcpu_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:mitsubishielectric:r32sfcpu:-:*:*:*:*:*:*:*
cpe:2.3:o:mitsubishielectric:r120sfcpu_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:mitsubishielectric:r08psfcpu_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:mitsubishielectric:r16psfcpu:-:*:*:*:*:*:*:*
References () https://jvn.jp/vu/JVNVU95085830/index.html - () https://jvn.jp/vu/JVNVU95085830/index.html - Third Party Advisory
References () https://www.cisa.gov/news-events/ics-advisories/icsa-24-044-01 - () https://www.cisa.gov/news-events/ics-advisories/icsa-24-044-01 - Third Party Advisory, US Government Resource
References () https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-021_en.pdf - () https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-021_en.pdf - Mitigation, Vendor Advisory
Summary
  • (es) Vulnerabilidad de asignación de privilegios incorrecta en Mitsubishi Electric Corporation MELSEC iQ-R Series Safety CPU R08/16/32/120SFCPU todas las versiones y MELSEC iQ-R Series SIL2 Process CPU R08/16/32/120PSFCPU todas las versiones permite a un atacante autenticado remoto que haya iniciado sesión ingresa al producto como usuario no administrador para revelar las credenciales (ID de usuario y contraseña) de un usuario con un nivel de acceso más bajo que el atacante mediante el envío de un paquete especialmente manipulado.
First Time Mitsubishielectric r08sfcpu Firmware
Mitsubishielectric r16sfcpu Firmware
Mitsubishielectric r120sfcpu
Mitsubishielectric r120psfcpu Firmware
Mitsubishielectric r32psfcpu
Mitsubishielectric r08psfcpu Firmware
Mitsubishielectric r32sfcpu
Mitsubishielectric r08sfcpu
Mitsubishielectric r120psfcpu
Mitsubishielectric r16sfcpu
Mitsubishielectric
Mitsubishielectric r16psfcpu
Mitsubishielectric r120sfcpu Firmware
Mitsubishielectric r32psfcpu Firmware
Mitsubishielectric r16psfcpu Firmware
Mitsubishielectric r32sfcpu Firmware
Mitsubishielectric r08psfcpu

14 Feb 2024, 04:15

Type Values Removed Values Added
References
  • () https://www.cisa.gov/news-events/ics-advisories/icsa-24-044-01 -

13 Feb 2024, 07:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-02-13 07:15

Updated : 2024-10-22 12:58


NVD link : CVE-2023-6815

Mitre link : CVE-2023-6815

CVE.ORG link : CVE-2023-6815


JSON object : View

Products Affected

mitsubishielectric

  • r08psfcpu
  • r16sfcpu
  • r32psfcpu_firmware
  • r32sfcpu_firmware
  • r08psfcpu_firmware
  • r120sfcpu
  • r16psfcpu
  • r120psfcpu_firmware
  • r16sfcpu_firmware
  • r08sfcpu
  • r32psfcpu
  • r16psfcpu_firmware
  • r32sfcpu
  • r120psfcpu
  • r08sfcpu_firmware
  • r120sfcpu_firmware
CWE
CWE-266

Incorrect Privilege Assignment