CVE-2022-40267
published 2023-01-20CVE-2022-40267: Predictable Seed in Pseudo-Random Number Generator (PRNG) vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-xMy/z (x=32,64,80, y=T,R…
PriorityP259critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
1.18%
63.9th percentile
Predictable Seed in Pseudo-Random Number Generator (PRNG) vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-xMy/z (x=32,64,80, y=T,R, z=ES,DS,ESS,DSS) with serial number 17X**** or later, and versions 1.280 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-xMy/z (x=32,64,80, y=T,R, z=ES,DS,ESS,DSS) with serial number 179**** and prior, and versions 1.074 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-xMy/z (x=32,64,96, y=T, z=D,DSS)) with serial number 17X**** or later, and versions 1.280 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-xMy/z (x=32,64,96, y=T, z=D,DSS)) with serial number 179**** and prior, and versions 1.074 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-32MT/DS-TS versions 1.280 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-32MT/DSS-TS versions 1.280 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-xMy/z (x=24,40,60, y=T,R, z=ES,ESS) versions 1.042 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-xMy/ES-A (x=24,40,60, y=T,R) versions 1.043 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5S-xMy/z (x=30,40,60,80, y=T,R, z=ES,ESS) versions 1.003 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-32MR/DS-TS versions 1.280 and prior, Mitsubishi Electric Corporation MELSEC iQ-R Series R00/01/02CPU versions 33 and prior, Mitsubishi Electric Corporation MELSEC iQ-R Series R04/08/16/32/120(EN)CPU versions 66 and prior allows a remote unauthenticated attacker to access the Web server function by guessing the random numbers used for authentication from several used random numbers.
Affected
122 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gitpython_project | gitpython | >= 0 < 3.1.32 | 3.1.32 |
| mitsubishi_electric_corporation | melsec_iq-f_seres_fx5u-80mt_es | — | — |
| mitsubishi_electric_corporation | melsec_iq-f_seres_fx5u-80mt_es | — | — |
| mitsubishi_electric_corporation | melsec_iq-f_series_fx5s-30mr_es | — | — |
| mitsubishi_electric_corporation | melsec_iq-f_series_fx5s-30mt_es | — | — |
| mitsubishi_electric_corporation | melsec_iq-f_series_fx5s-30mt_ess | — | — |
| mitsubishi_electric_corporation | melsec_iq-f_series_fx5s-40mr_es | — | — |
| mitsubishi_electric_corporation | melsec_iq-f_series_fx5s-40mt_es | — | — |
| mitsubishi_electric_corporation | melsec_iq-f_series_fx5s-40mt_ess | — | — |
| mitsubishi_electric_corporation | melsec_iq-f_series_fx5s-60mr_es | — | — |
| mitsubishi_electric_corporation | melsec_iq-f_series_fx5s-60mt_es | — | — |
| mitsubishi_electric_corporation | melsec_iq-f_series_fx5s-60mt_ess | — | — |
| mitsubishi_electric_corporation | melsec_iq-f_series_fx5s-80mr_es | — | — |
| mitsubishi_electric_corporation | melsec_iq-f_series_fx5s-80mt_es | — | — |
| mitsubishi_electric_corporation | melsec_iq-f_series_fx5s-80mt_ess | — | — |
| mitsubishi_electric_corporation | melsec_iq-f_series_fx5u-32mr_ds | — | — |
| mitsubishi_electric_corporation | melsec_iq-f_series_fx5u-32mr_ds | — | — |
| mitsubishi_electric_corporation | melsec_iq-f_series_fx5u-32mr_es | — | — |
| mitsubishi_electric_corporation | melsec_iq-f_series_fx5u-32mr_es | — | — |
| mitsubishi_electric_corporation | melsec_iq-f_series_fx5u-32mt_ds | — | — |
| mitsubishi_electric_corporation | melsec_iq-f_series_fx5u-32mt_ds | — | — |
| mitsubishi_electric_corporation | melsec_iq-f_series_fx5u-32mt_dss | — | — |
| mitsubishi_electric_corporation | melsec_iq-f_series_fx5u-32mt_dss | — | — |
| mitsubishi_electric_corporation | melsec_iq-f_series_fx5u-32mt_es | — | — |
| mitsubishi_electric_corporation | melsec_iq-f_series_fx5u-32mt_es | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability targets the WEB server function on affected Mitsubishi Electric MELSEC iQ-F and iQ-R Series PLCs; monitor for repeated or anomalous HTTP authentication attempts against these devices, which may indicate an attacker brute-forcing/guessing PRNG-derived session tokens. ↗
- →The attack is network-based, requires no authentication, and has high attack complexity (CVSS AV:N/AC:H/PR:N/UI:N). Detection should focus on unauthenticated remote access attempts to the PLC web server, particularly from external/untrusted hosts. ↗
- →Flag any access to the MELSEC iQ-F/iQ-R web server function originating from untrusted networks or hosts not whitelisted via the IP filter function, as exploitation requires network reachability to the device. ↗
- ·No known public exploits specifically target this vulnerability at time of advisory publication; exploitation requires high attack complexity (predicting PRNG seed from observed random numbers). ↗
- ·The iQ-R Series products (R00/01/02CPU and R04/08/16/32/120(EN)CPU) were added in Update B of the advisory; earlier detection rules or asset inventories based on the original advisory may not include these devices. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
ghsa9.8CRITICAL
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
GitPython: Insecure non-multi options in clone and clone_from is not blocked
vendor_redhat·2023-08-11·CVSS 8.1
CVE-2023-40267 [HIGH] CWE-20 GitPython: Insecure non-multi options in clone and clone_from is not blocked
GitPython: Insecure non-multi options in clone and clone_from is not blocked
GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.
An improper input validation vulnerability was found in GitPython. This flaw allows an attacker to inject a maliciously crafted remote URL into the clone command, possibly leading to remote code execution.
Statement: In Red Hat Openstack, Red Hat Ansible Automation Platform, and Red Hat Certification Program, while the gitpython dependency is present, the affected codebase is not being used.
Red Hat Satellite does not use the affected functions during runtime, therefore the possible impact is limited to Moderate.
Package: gitpython (Red Hat Ansible
CISA ICS
Mitsubishi Electric MELSEC iQ-F, iQ-R Series (Update B)
cisa_ics·2023-01-17
Mitsubishi Electric MELSEC iQ-F, iQ-R Series (Update B)
ICS Advisory
##
Mitsubishi Electric MELSEC iQ-F, iQ-R Series (Update B)
Last RevisedApril 18, 2023
Alert CodeICSA-23-017-02
## 1. EXECUTIVE SUMMARY
- CVSS v3 5.9
- ATTENTION: Exploitable remotely
- Vendor: Mitsubishi Electric
- Equipment: MELSEC iQ-F and iQ-R Series products
- Vulnerability: Predictable Seed in Pseudo-Random Number Generator (PRNG)
## 2. UPDATE OR REPOSTED INFORMATION
This updated advisory is a follow-up to the original advisory titled ICSA-23-017-02 Mitsubishi Electric MELSEC iQ-F, iQ-R Series (Update A) that was published January 17, 2023, on the ICS webpage on cisa.gov/ICS.
## 3. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to access the WEB server function by guessing the random numbers used fo
GHSA
GitPython vulnerable to remote code execution due to insufficient sanitization of input arguments
ghsa·2023-08-11·CVSS 9.8
CVE-2023-40267 [HIGH] CWE-78 GitPython vulnerable to remote code execution due to insufficient sanitization of input arguments
GitPython vulnerable to remote code execution due to insufficient sanitization of input arguments
GitPython before 3.1.32 does not block insecure non-multi options in `clone` and `clone_from`, making it vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.
GHSA
GHSA-9vv4-3cf7-mqqr: Predictable Seed in Pseudo-Random Number Generator (PRNG) vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-xMy/z (x=32,64,80,
ghsa_unreviewed·2023-01-20
CVE-2022-40267 [CRITICAL] CWE-335 GHSA-9vv4-3cf7-mqqr: Predictable Seed in Pseudo-Random Number Generator (PRNG) vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-xMy/z (x=32,64,80,
Predictable Seed in Pseudo-Random Number Generator (PRNG) vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-xMy/z (x=32,64,80, y=T,R, z=ES,DS,ESS,DSS) with serial number 17X**** or later, and versions 1.280 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-xMy/z (x=32,64,80, y=T,R, z=ES,DS,ESS,DSS) with serial number 179**** and prior, and versions 1.074 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-xMy/z (x=32,64,96, y=T, z=D,DSS)) with serial number 17X**** or later, and versions 1.280 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-xMy/z (x=32,64,96, y=T, z=D,DSS)) with serial number 179**** and prior, and versions 1.074 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-32MT/DS-TS version
No detection rules found.
No public exploits indexed.
https://jvn.jp/vu/JVNVU99673580/index.htmlhttps://www.cisa.gov/uscert/ics/advisories/icsa-23-017-02https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-019_en.pdfhttps://jvn.jp/vu/JVNVU99673580/index.htmlhttps://www.cisa.gov/uscert/ics/advisories/icsa-23-017-02https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-019_en.pdfhttps://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1646
2023-01-20
Published