Published:2020/11/12  Last Updated:2020/11/13

JVN#44764844
MELSEC iQ-R Series CPU Modules vulnerable to uncontrolled resource consumption

Overview

MELSEC iQ-R Series CPU Modules provided by Mitsubishi Electric Corporation contain an uncontrolled resource consumption vulnerability.

Products Affected

The following MELSEC iQ-R series CPU modules are affected.

  • R00/01/02CPU Firmware versions from "05" to "19"
  • R04/08/16/32/120(EN)CPU Firmware versions from "35" to "51"

Description

MELSEC iQ-R series CPU modules provided by Mitsubishi Electric Corporation contain an uncontrolled resource consumption vulnerability (CWE-400).

According to the developer, in case of "To Use or Not to Use Web Server Settings" in the parameter of CPU modules are set to "Not Use", this issue does not occur. (The default setting is "Not Use".)

Impact

When the CPU module receives a specially crafted HTTP packet from a remote attacker, a denial-of-service (DoS) condition may be caused on the product's program execution and communication.
Note that a reset is required for recovery.

Solution

Update the software
Apply the appropriate update according to the information provided by the developer.
According to the developer, this vulnerability is fixed in following firmware versions.

  • R00/01/02CPU firmware versions "20" and later
  • R04/08/16/32/120(EN)CPU firmware versions "52" and later
Apply the workarounds
Applying the following workarounds may mitigate the impacts of this vulnerability.
  • If Web Server function is not in use, set "Not Use" for "To Use or Not to Use Web Server Settings"
  • Use a firewall, virtual private network (VPN), etc. to prevent unauthorized access when accessing the Internet
  • Use the product within a trusted LAN and block access from untrusted networks and hosts by using firewalls

Vendor Status

Vendor Link
Mitsubishi Electric Corporation Denial-of-Service Vulnerability in MELSEC iQ-R Series CPU Modules

References

  1. ICS Advisory (ICSA-20-317-01)
    Mitsubishi Electric MELSEC iQ-R Series

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H
Base Score: 6.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:H/Au:N/C:N/I:N/A:C
Base Score: 5.4
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

TOMOOMI IWATA, KINOSHITA SHUNICHI of NEC Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2020-5666
JVN iPedia JVNDB-2020-000072

Update History

2020/11/13
Added information under [References] section.