Published:2020/06/23  Last Updated:2020/06/24

JVNVU#91424496
Mitsubishi Electric MELSEC iQ-R, iQ-F, Q, L, and FX series vulnerable to cleartext transmission of sensitive information

Overview

Mitsubishi Electric MELSEC iQ-R, iQ-F, Q, L, and FX series contain a vulnerability that allows cleartext transmission of sensitive information (CWE-319) between CPU modules and GX Works3 and/or GX Works2.

Products Affected

  • MELSEC iQ-R, iQ-F, Q, L, and FX series CPU modules all versions

Description

Mitsubishi Electric MELSEC iQ-R, iQ-F, Q, L, and FX series contain a vulnerability that allows cleartext transmission of sensitive information (CWE-319) between CPU modules and GX Works3 and/or GX Works2.

Impact

If this vulnerability is exploited, disclosure or alteration of information, unauthorized operations, and denial of service (DoS) attacks may be conducted by a remote attacker.

Solution

Apply Workaround
According to the developer, an update to resolve this vulnerability is not provided.

However, developer recommends the users to apply the following workaround so that it may mitigate the impacts of this vulnerability.

  • When performing communication via untrusted networks or hosts, encrypt the communication path by setting up a VPN

For more information, refer to the information provided by the developer.

Vendor Status

Vendor Link
Mitsubishi Electric Corporation Vulnerability of Information Disclosure, Information Tampering, Unauthorized Operation and Denial-of-Service (DoS) between MELSEC iQ-R, iQ-F, Q, L and FX series CPU modules and GX Works3/GX Works2

References

  1. ICS Advisory (ICSA-20-175-01)
    Mitsubishi Electric MELSEC iQ-R, iQ-F, Q, L and FX Series CPU Modules

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Base Score: 10.0
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)

Credit

Mitsubishi Electric Corporation reported this vulnerability to JPCERT/CC to notify users of the solution through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2020-5594
JVN iPedia

Update History

2020/06/24
Added ICS Advisory link to [References] section.