CVE-2023-3373

Vulnerability

A predictable port number vulnerability (CWE-342) exists in the FTP server function of Mitsubishi Electric GOT2000 Series GT21 model versions 01.49.000 and prior, and GOT SIMPLE Series GS21 model versions 01.49.000 and prior [1][2]. When the FTP server operates in passive mode, it listens for data connections on a port that can be easily guessed by observing previous values or patterns, without requiring any authentication [1][2].

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by predicting the listening port number of an active FTP data connection on an affected device. The attacker must time the connection attempt to coincide with an ongoing FTP session [1]. No prior authentication or local access to the device is needed; the attack vector is over the network [2].

Impact

Successful exploitation allows an attacker to hijack the data connection (session hijacking), enabling interception or tampering with data transmitted during the FTP session. Alternatively, the attacker can prevent legitimate users from establishing data connections, causing a denial-of-service (DoS) condition [1][2]. The CVSS v3 base score is 5.9 (AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:L) [2].

Mitigation

Mitsubishi Electric has released firmware versions 01.50.000 or later for both affected models (GT21 and GS21) to fix the vulnerability [2]. Users should update their GOT firmware to version 01.50.000 or later. As a workaround, if the FTP server function is not required, disable it on the device [1]. No evidence of inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog was found in the provided references.