Vulnerabilities fixed in Mitsubishi Electric FR Configurator2

Mitsubishi Electric has fixed vulnerabilities in configuration software FR Configurator2. The vulnerabilities could allow an attacker to read arbitrary files or cause a denial-of-service condition of FR Configurator2. The security issues identified affect version 1.16S of the software and all its prior versions.

One of the vulnerabilities, CVE-2019-10976, is an improper restriction of XML external entity reference (XXE) flaw, which could allow an attacker to read arbitrary files on the target computer. The CVSS v.3 base score calculated for this vulnerability is 7.1.

The second vulnerability, CVE-2019-10972, is an uncontrolled resource consumption issue. It could enable an attacker who provides the target with a rogue project file (.frc2) to cause CPU exhaustion, which in turn causes the software to stop responding until the application is restarted. The severity score calculated for this vulnerability is 5.5 on the CVSS v.3 scale.

To address the above vulnerabilities, the vendor recommends updating the application to version 1.17T.

Sources: ICS-CERT, Mitsubishi Electric