Published:2020/03/11  Last Updated:2020/03/11

JVNVU#92370624
Multiple vulnerabilities in TCP/IP function on Mitsubishi Electric data collection analyzer MELQIC IU1 series

Overview

Data collection analyzer MELQIC IU1 series provided by Mitsubishi Electric Corporation contain multiple vulnerabilities.

Products Affected

  • IU1-1M20-D firmware version 1.0.7 and earlier

Description

Data collection analyzer MELQIC IU1 series provided by Mitsubishi Electric Corporation contain multiple vulnerabilities in TCP/IP function included in the firmware.

Impact

By receiving a packet which is specially crafted by an attacker, the network functions of the products may be stopped or malware may be executed.

Solution

Update the Firmware
Apply the appropriate firmware update according to the information provided by the developer.
According to the developer, it is necessary to upgrade the firmware of products to version 1.08 or later by using IU Configuration Tool version 1.04 or later.

Apply the Workaround
Restricting access to the network from untrusted network and hosts by firewall may mitigate the impacts of the vulnerabilities.
 

Vendor Status

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Mitsubishi Electric Corporation reported these vulnerabilities to JPCERT/CC to notify users of the solution through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2020-5542
CVE-2020-5543
CVE-2020-5544
CVE-2020-5545
CVE-2020-5546
CVE-2020-5547
JVN iPedia