CVE-2021-20593 Information

Description

Incorrect Implementation of Authentication Algorithm in Mitsubishi Electric Air Conditioning System/Centralized Controllers (G-50A Ver.2.50 to Ver. 3.35 GB-50A Ver.2.50 to Ver. 3.35 AG-150A-A Ver.3.20 and prior AG-150A-J Ver.3.20 and prior GB-50ADA-A Ver.3.20 and prior GB-50ADA-J Ver.3.20 and prior EB-50GU-A Ver 7.09 and prior EB-50GU-J Ver 7.09 and prior AE-200A Ver 7.93 and prior AE-200E Ver 7.93 and prior AE-50A Ver 7.93 and prior AE-50E Ver 7.93 and prior EW-50A Ver 7.93 and prior EW-50E Ver 7.93 and prior TE-200A Ver 7.93 and prior TE-50A Ver 7.93 and prior TW-50A Ver 7.93 and prior CMS-RMD-J Ver.1.30 and prior) and Air Conditioning System/Expansion Controllers (PAC-YG50ECA Ver.2.20 and prior) allows a remote authenticated attacker to impersonate administrators to disclose configuration information of the air conditioning system and tamper information (e.g. operation information and configuration of air conditioning system) by exploiting this vulnerability.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Reference

https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-004_en.pdf https://jvn.jp/vu/JVNVU96046575/index.html

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

HIGH

Base Score

NONE

Base Severity

7.1