CVE-2020-5599

Vulnerability

The TCP/IP function in CoreOS versions -Y and earlier on Mitsubishi Electric GOT2000 series (GT27, GT25, and GT23 models) contains an improper neutralization of argument delimiters in a command vulnerability (CWE-88), also categorized as an argument injection [1]. The affected firmware versions are those prior to version Z [1]. The vulnerability exists in the network stack's parsing of specially crafted packets, allowing manipulation of command arguments without proper sanitization [1].

Exploitation

An attacker requires network connectivity to the target device and the ability to send a specially crafted packet [1]. No authentication is mentioned as a prerequisite; the attack can be launched remotely over a network [1]. By crafting the packet with malicious argument delimiters, the attacker can inject additional commands into the TCP/IP processing logic [1]. The steps involve sending the malicious packet to the target GOT2000 series HMI unit [1].

Impact

Successful exploitation can lead to either a denial of service (stopping network functions) or arbitrary code execution (running a malicious program) on the affected device [1]. The attacker may achieve full compromise of the network functionality or execute arbitrary commands in the context of the affected TCP/IP stack [1]. This could disrupt industrial control operations or allow further lateral movement within the network [1].

Mitigation

The official solution is to update CoreOS to version Z or later [1]. This requires installing MELSOFT GT Designer3(2000) version 1.240A, creating CoreOS with version Z on an SD card, and updating the affected product [1]. As a workaround, restricting access from untrusted networks or hosts can reduce the attack surface [1]. No other mitigations beyond vendor-provided updates and network access controls are documented in the references [1].