CVE-2020-5647 – This vulnerability allows remote unauthenticate... (How to Fix)

Q: What is the severity of CVE-2020-5647?

CVE-2020-5647 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote unauthenticated attackers to send specially crafted packets to Mitsubishi GOT 1000 series GT14 model industrial HMIs, which can stop network functions or execute malicious programs. Affected systems include specific GT14 models with CoreOS version '05.65.00.BD' and earlier. This is a critical vulnerability affecting industrial control systems.

📋 TL;DR

This vulnerability allows remote unauthenticated attackers to send specially crafted packets to Mitsubishi GOT 1000 series GT14 model industrial HMIs, which can stop network functions or execute malicious programs. Affected systems include specific GT14 models with CoreOS version '05.65.00.BD' and earlier. This is a critical vulnerability affecting industrial control systems.

💻 Affected Systems

Products:

Mitsubishi GOT 1000 series GT14 models: GT1455-QTBDE, GT1450-QMBDE, GT1450-QLBDE, GT1455HS-QTBDE, GT1450HS-QMBDE

Versions: CoreOS version '05.65.00.BD' and earlier

Operating Systems: Mitsubishi GOT CoreOS

Default Config Vulnerable: ⚠️ Yes

Notes: All affected models with default TCP/IP configuration are vulnerable. Industrial control systems in manufacturing, energy, and critical infrastructure sectors.

📦 What is this software?

Coreos by Mitsubishielectric

View all CVEs affecting Coreos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial HMI allowing execution of arbitrary malicious programs, disruption of industrial processes, and potential physical damage or safety incidents.

🟠

Likely Case

Network functions disruption leading to operational downtime in industrial environments, with potential for malware deployment.

🟢

If Mitigated

Limited impact if systems are isolated behind firewalls with strict network segmentation and access controls.

🌐 Internet-Facing: HIGH - Remote unauthenticated exploitation allows complete compromise from internet if exposed.

🏢 Internal Only: HIGH - Even internally, unauthenticated network access can lead to complete system compromise.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Remote unauthenticated exploitation via specially crafted packets. No authentication required. Likely weaponized given critical nature and industrial control system target.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: CoreOS version '05.65.00.BD' is vulnerable. Check Mitsubishi advisory for specific fixed versions.

Vendor Advisory: https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-014_en.pdf

Restart Required: Yes

Instructions:

1. Download firmware update from Mitsubishi support portal. 2. Backup current configuration. 3. Apply firmware update following Mitsubishi's instructions. 4. Restart the GOT device. 5. Verify firmware version after update.

🔧 Temporary Workarounds

Network Segmentation and Firewall Rules

all

Isolate GOT devices in separate network segments with strict firewall rules blocking unnecessary TCP/IP traffic.

Access Control Lists

all

Implement network ACLs to restrict access to GOT devices only from authorized engineering workstations and controllers.

🧯 If You Can't Patch

Implement strict network segmentation - isolate GOT devices in separate VLANs with firewall rules blocking all unnecessary traffic
Deploy intrusion detection/prevention systems to monitor for anomalous TCP/IP traffic patterns to GOT devices

🔍 How to Verify

Check if Vulnerable:

Check CoreOS version on GOT device: Navigate to System Information in GOT menu and verify version is '05.65.00.BD' or earlier.

Check Version:

No CLI command - check via GOT device System Information menu interface

Verify Fix Applied:

After patching, verify CoreOS version shows updated version beyond '05.65.00.BD' in System Information.

📡 Detection & Monitoring

Log Indicators:

Unusual TCP/IP connection attempts to GOT devices
Network service disruptions on GOT devices
Unexpected process execution on GOT devices

Network Indicators:

Anomalous TCP packets to GOT device ports
Traffic patterns matching known exploit signatures
Unexpected network connections from GOT devices

SIEM Query:

source_ip=* AND dest_ip=GOT_IP AND (tcp_flags=malformed OR packet_size=anomalous)

📊 Metadata

CVE ID: CVE-2020-5647

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: November 6, 2020

Last Updated: November 21, 2024

🔗 References

https://jvn.jp/vu/JVNVU99562395/index.html Third Party Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-20-310-02 Third Party Advisory,US Government Resource
https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-014.pdf Vendor Advisory
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-014_en.pdf Vendor Advisory
https://jvn.jp/vu/JVNVU99562395/index.html Third Party Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-20-310-02 Third Party Advisory,US Government Resource
https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-014.pdf Vendor Advisory
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-014_en.pdf Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON