JVNVU#92370624
Multiple vulnerabilities in TCP/IP function on Mitsubishi Electric data collection analyzer MELQIC IU1 series

Overview

Data collection analyzer MELQIC IU1 series provided by Mitsubishi Electric Corporation contain multiple vulnerabilities.

Products Affected

• IU1-1M20-D firmware version 1.0.7 and earlier

Description

Data collection analyzer MELQIC IU1 series provided by Mitsubishi Electric Corporation contain multiple vulnerabilities in TCP/IP function included in the firmware.

• Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) - CVE-2020-5542
• Session Fixation (CWE-384) - CVE-2020-5543
• NULL Pointer Dereference (CWE-476) - CVE-2020-5544
• Improper Access Control (CWE-284) - CVE-2020-5545
• Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88) - CVE-2020-5546
• Resource Management Errors (CWE-399) - CVE-2020-5547

Impact

By receiving a packet which is specially crafted by an attacker, the network functions of the products may be stopped or malware may be executed.

Solution

Update the Firmware
Apply the appropriate firmware update according to the information provided by the developer.
According to the developer, it is necessary to upgrade the firmware of products to version 1.08 or later by using IU Configuration Tool version 1.04 or later.