CVE-2020-5602 in Engineering Software
Summary
by MITRE
Mitsubishi Electoric FA Engineering Software (CPU Module Logging Configuration Tool Ver. 1.94Y and earlier, CW Configurator Ver. 1.010L and earlier, EM Software Development Kit (EM Configurator) Ver. 1.010L and earlier, GT Designer3 (GOT2000) Ver. 1.221F and earlier, GX LogViewer Ver. 1.96A and earlier, GX Works2 Ver. 1.586L and earlier, GX Works3 Ver. 1.058L and earlier, M_CommDTM-HART Ver. 1.00A, M_CommDTM-IO-Link Ver. 1.02C and earlier, MELFA-Works Ver. 4.3 and earlier, MELSEC-L Flexible High-Speed I/O Control Module Configuration Tool Ver.1.004E and earlier, MELSOFT FieldDeviceConfigurator Ver. 1.03D and earlier, MELSOFT iQ AppPortal Ver. 1.11M and earlier, MELSOFT Navigator Ver. 2.58L and earlier, MI Configurator Ver. 1.003D and earlier, Motion Control Setting Ver. 1.005F and earlier, MR Configurator2 Ver. 1.72A and earlier, MT Works2 Ver. 1.156N and earlier, RT ToolBox2 Ver. 3.72A and earlier, and RT ToolBox3 Ver. 1.50C and earlier) allows an attacker to conduct XML External Entity (XXE) attacks via unspecified vectors.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/30/2020
The vulnerability identified as CVE-2020-5602 represents a critical XML External Entity (XXE) flaw affecting multiple Mitsubishi Electric industrial automation software products. This vulnerability exists within various configuration tools and development environments including CPU Module Logging Configuration Tool, CW Configurator, EM Software Development Kit, and numerous other engineering software packages. The XXE vulnerability allows attackers to exploit improper XML parsing mechanisms that fail to adequately validate or sanitize external entity references within XML documents processed by these applications. The flaw manifests across a broad spectrum of Mitsubishi Electric industrial software, indicating a systemic issue in how these applications handle XML input processing.
The technical exploitation of this vulnerability occurs when the affected software processes XML files that contain malicious external entity declarations. Attackers can leverage this weakness to perform server-side request forgery attacks, access internal files, conduct port scanning, or potentially execute arbitrary code on the affected systems. The vulnerability's impact extends beyond simple data exfiltration as it can enable attackers to bypass network segmentation and gain unauthorized access to internal systems. The unspecified vectors suggest that the attack surface includes various input points where XML data is consumed, including configuration files, project files, and potentially network communications between different software components.
From an operational perspective, this vulnerability poses significant risks to industrial control systems and manufacturing environments where Mitsubishi Electric software is deployed. The affected products are commonly used in critical infrastructure applications including factory automation, process control, and industrial robotics systems. The presence of XXE vulnerabilities in these tools means that attackers could potentially compromise entire industrial networks through a single vulnerable application. The impact is particularly concerning given that these tools are often run with elevated privileges and have access to sensitive industrial data and system configurations. The vulnerability affects versions up to and including specific release numbers, indicating that organizations using these legacy versions face heightened risk.
Organizations should immediately implement mitigations including updating to patched versions of the affected software products, implementing network segmentation to limit access to these tools, and disabling XML parsing capabilities where possible. Security controls should focus on validating all XML input, implementing proper entity declaration restrictions, and monitoring for unusual network activity. The vulnerability aligns with CWE-611 (Improper Restriction of XML External Entity Reference) and represents a significant concern under the ATT&CK framework category of T1213 (Data from Information Repositories) and T1190 (Exploit Public-Facing Application). Organizations should also consider implementing application whitelisting controls and regular security assessments to identify similar vulnerabilities in other industrial control system software components.