CVE-2021-20607

Vulnerability

An integer underflow vulnerability (CWE-191) exists in Mitsubishi Electric GX Works2 versions 1.606G and prior, MELSOFT Navigator versions 2.84N and prior, and EZSocket versions 5.4 and prior [1][2]. The flaw occurs when the software processes a specially crafted project file, performing a subtraction that yields a value less than the minimum allowable integer, leading to unexpected behavior [2].

Exploitation

To exploit this vulnerability, an attacker must create a malicious project file and convince a user to open it with the affected software. No special network position or authentication is required, but user interaction is necessary. The attack complexity is low [1][2].

Impact

Successful exploitation causes a denial-of-service (DoS) condition in the software, resulting in a crash or hang. The CVSS v3 base score is 5.5, with vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating no impact to confidentiality or integrity, but high availability impact [1][2].

Mitigation

Mitsubishi Electric has released updates to address the vulnerability: GX Works2 version 1.610L and later, MELSOFT Navigator version 2.86Q and later, and EZSocket version 5.5 and later [1]. Users should apply these updates from the vendor's official channels. No workarounds are provided in the references [1][2].