1. EXECUTIVE SUMMARY

  • CVSS v3 9.1
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Mitsubishi Electric Corporation
  • Equipment: MELSEC iQ-R Series CPU Module
  • Vulnerability: Cleartext Transmission of Sensitive Information

2. UPDATE INFORMATION

This updated advisory is a follow-up to the original advisory titled “ICSA-21-287-03 Mitsubishi Electric MELSEC iQ-R Series” that was published October 14, 2021, on the ICS webpage on cisa.gov/ICS

3.RISK EVALUATION

Successful exploitation of this vulnerability could allow a remote attacker to be able to log in to the CPU module by obtaining credentials.

4. TECHNICAL DETAILS

4.1 AFFECTED PRODUCTS

——— Begin Update A part 1 of 2 ———

Mitsubishi Electric reports the vulnerability affects the following MELSEC CPU Modules: 

  • MELSEC iQ-R series Safety CPU R08/16/32/120SFCPU: Firmware versions “26” and prior
  • MELSEC iQ-R series SIL2 Process CPU R08/16/32/120PSFCPU: all versions

4.2 VULNERABILITY OVERVIEW

4.2.1    CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION VULNERABILITY CWE-319

——— End Update A part 1 of 2 ———

An unauthorized remote attacker may be able to log in to the CPU module by obtaining credentials other than password.

CVE-2021-20599 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

4.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Japan

4.4 RESEARCHER

Ivan Speziale of Nozomi Networks reported this vulnerability to CISA.

5. MITIGATIONS

——— Begin Update A part 2 of 2 ———

Mitsubishi Electric has prepared the following countermeasures: 

  • MELSEC iQ-R series Safety CPU R08/16/32/120SFCPU: Firmware versions “27” or later

Mitsubishi Electric will release updates for other products.

——— End Update A part 2 of 2 ———

Mitsubishi Electric recommends users take the following mitigation measures to minimize risk associated with this vulnerability:

  • Use a firewall or virtual private network (VPN) to prevent unauthorized access when Internet access is required.
  • Use within a LAN and block access from untrusted networks and hosts through firewalls.
  • Use the IP filter function to restrict the accessible IP addresses.

Please refer to the Mitsubishi Electric advisory for further details.
Source:

https://www.cisa.gov/uscert/ics/advisories/icsa-21-287-03