CVE-2020-5648 : Improper neutralization of argument delimiters in a command ('Argument Injection

Improper neutralization of argument delimiters in a command ('Argument Injection') vulnerability in TCP/IP function included in the firmware of GT14 Model of GOT 1000 series (GT1455-QTBDE CoreOS version "05.65.00.BD" and earlier, GT1450-QMBDE CoreOS version "05.65.00.BD" and earlier, GT1450-QLBDE CoreOS version "05.65.00.BD" and earlier, GT1455HS-QTBDE CoreOS version "05.65.00.BD" and earlier, and GT1450HS-QMBDE CoreOS version "05.65.00.BD" and earlier) allows unauthenticated attackers on adjacent network to stop the network functions of the products via a specially crafted packet.

Published 2020-11-06 03:15:18

Updated 2020-11-20 17:15:48

Source JPCERT/CC

View at NVD, CVE.org

Products affected by CVE-2020-5648

Mitsubishielectric » Coreos
Versions up to, including, (<=) 05.65.00.bd
cpe:2.3:o:mitsubishielectric:coreos:*:*:*:*:*:*:*:*
Matching versions
When used together with: Mitsubishielectric » Gt1450-qlbde » Version: N/A
When used together with: Mitsubishielectric » Gt1450-qmbde » Version: N/A
When used together with: Mitsubishielectric » Gt1450hs-qmbde » Version: N/A
When used together with: Mitsubishielectric » Gt1455-qtbde » Version: N/A
When used together with: Mitsubishielectric » Gt1455hs-qtbde » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2020-5648

EPSS FAQ

0.71%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 70 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-5648

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.5	MEDIUM	AV:N/AC:L/Au:S/C:P/I:P/A:P	8.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2020-5648

CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-5648

https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-014_en.pdf

MITSUBISHI ELECTRIC Global website
Vendor Advisory

CVEs referencing this url
https://us-cert.cisa.gov/ics/advisories/icsa-20-310-02

Mitsubishi Electric GT14 Model of GOT1000 Series | CISA
Third Party Advisory;US Government Resource

CVEs referencing this url
https://jvn.jp/vu/JVNVU99562395/index.html

JVNVU#99562395: 三菱電機製 GOT1000 シリーズ GT14 モデルにおける複数の脆弱性
Third Party Advisory

CVEs referencing this url
https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-014.pdf

Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2020-5648

Products affected by CVE-2020-5648

Exploit prediction scoring system (EPSS) score for CVE-2020-5648

CVSS scores for CVE-2020-5648

CWE ids for CVE-2020-5648

References for CVE-2020-5648