CVE-2023-1285 : Signal Handler Race Condition vulnerability in Mitsubishi Electric India GC-ENET

Signal Handler Race Condition vulnerability in Mitsubishi Electric India GC-ENET-COM whose first 2 digits of 11-digit serial number of unit are "16" allows a remote unauthenticated attacker to cause a denial-of-service (DoS) condition in Ethernet communication by sending a large number of specially crafted packets to any UDP port when GC-ENET-COM is configured as a Modbus TCP Server. The communication resumes only when the power of the main unit is turned off and on or when the GC-ENET-COM is hot-swapped from the main unit.

Published 2023-04-14 03:15:07

Updated 2023-04-24 13:22:28

Source Mitsubishi Electric Corporation

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2023-1285

Mitsubishielectric » Gc-enet-com Firmware » Version: N/A
cpe:2.3:o:mitsubishielectric:gc-enet-com_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Mitsubishielectric » Gc-enet-com » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2023-1285

EPSS FAQ

0.29%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 49 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-1285

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	Mitsubishi Electric Corporation
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H	2.2	3.6	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2023-1285

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

Assigned by: nvd@nist.gov (Primary)
CWE-364 Signal Handler Race Condition

The product uses a signal handler that introduces a race condition.

Assigned by: Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp (Secondary)

References for CVE-2023-1285

https://www.cisa.gov/news-events/ics-advisories/icsa-23-103-15

Mitsubishi Electric India GC-ENET-COM | CISA
Third Party Advisory;US Government Resource
https://mitsubishielectric.in/fa/cnc-pdf/DoS_in_Ethernet_Communication_Extension_Unit_GC_ENET_COM_of_GOC35_Series.pdf

Vendor Advisory

Jump to

Vulnerability Details : CVE-2023-1285

Products affected by CVE-2023-1285

Exploit prediction scoring system (EPSS) score for CVE-2023-1285

CVSS scores for CVE-2023-1285

CWE ids for CVE-2023-1285

References for CVE-2023-1285