Mitsubishi Electric MELSEC iQ-R, Q and L Series

1. EXECUTIVE SUMMARY

• CVSS v3 7.5
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Mitsubishi Electric
• Equipment: MELSEC iQ-R, Q, and L Series
• Vulnerability: Uncontrolled Resource Consumption

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause a denial-of-service condition in the Ethernet port on the CPU module.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Mitsubishi Electric reports that the following MELSEC programmable controllers are affected:

• MELSEC iQ-R R00 CPU firmware: versions 20 and earlier
• MELSEC iQ-R R01 CPU firmware: versions 20 and earlier
• MELSEC iQ-R R02 CPU firmware: versions 20 and earlier
• MELSEC iQ-R R04 (EN) CPU firmware: versions 52 and earlier
• MELSEC iQ-R R08 (EN) CPU firmware: versions 52 and earlier
• MELSEC iQ-R R16 (EN) CPU firmware: versions 52 and earlier
• MELSEC iQ-R R32 (EN) CPU firmware: versions 52 and earlier
• MELSEC iQ-R R120 (EN) CPU firmware: versions 52 and earlier
• MELSEC iQ-R R08 SFCPU firmware: versions 22 and earlier
• MELSEC iQ-R R16 SFCPU firmware: versions 22 and earlier
• MELSEC iQ-R R32 SFCPU firmware: versions 22 and earlier
• MELSEC iQ-R R120 SFCPU firmware: versions 22 and earlier
• MELSEC iQ-R R08 PCPU firmware: versions 25 and earlier
• MELSEC iQ-R R16 PCPU firmware: versions 25 and earlier
• MELSEC iQ-R R32 PCPU firmware: versions 25 and earlier
• MELSEC iQ-R R120 PCPU firmware: versions 25 and earlier
• MELSEC iQ-R R16 MTCPU operating system software: version 21 and earlier
• MELSEC iQ-R R32 MTCPU operating system software: version 21 and earlier
• MELSEC iQ-R R64 MTCPU operating system software: version 21 and earlier
• MELSEC Q Q03 UDECPU: serial number 22081 and earlier
• MELSEC Q Q04 UDEHCPU: serial number 22081 and earlier
• MELSEC Q Q06 UDEHCPU: serial number 22081 and earlier
• MELSEC Q Q10 UDEHCPU: serial number 22081 and earlier
• MELSEC Q Q13 UDEHCPU: serial number 22081 and earlier
• MELSEC Q Q20 UDEHCPU: serial number 22081 and earlier
• MELSEC Q Q26 UDEHCPU: serial number 22081 and earlier
• MELSEC Q Q50 UDEHCPU: serial number 22081 and earlier
• MELSEC Q Q100 UDEHCPU: serial number 22081 and earlier
• MELSEC Q Q03 UDVCPU: serial number 22031 and earlier
• MELSEC Q Q04 UDVCPU: serial number 22031 and earlier
• MELSEC Q Q06 UDVCPU: serial number 22031 and earlier
• MELSEC Q Q13 UDVCPU: serial number 22031 and earlier
• MELSEC Q Q26 UDVCPU: serial number 22031 and earlier
• MELSEC Q Q04 UDPVCPU: serial number 22031 and earlier
• MELSEC Q Q06 UDPVCPU: serial number 22031 and earlier
• MELSEC Q Q13 UDPVCPU: serial number 22031 and earlier
• MELSEC Q Q26 UDPVCPU: serial number 22031 and earlier
• MELSEC Q Q172 DCPU-S1 operating system software: version V and earlier
• MELSEC Q Q173 DCPU-S1 operating system software: version V and earlier
• MELSEC Q Q172 DSCPU operating system software: version W and earlier
• MELSEC Q Q173 DSCPU operating system software: version W and earlier
• MELSEC Q Q170 MCPU operating system software: version V and earlier
• MELSEC Q Q170 MSCPU(-S1) operating system software: version W and earlier
• MELSEC Q MR-MQ100 operating system software: version E and earlier
• MELSEC L L02 CPU (-P): serial number 23121 and earlier
• MELSEC L L06 CPU (-P): serial number 23121 and earlier
• MELSEC L L26 CPU (-P): serial number 23121 and earlier
• MELSEC L L26 CPU – (P) BT: serial number 23121 and earlier

3.2 Vulnerability Overview

3.2.1 Uncontrolled Resource Consumption CWE-400

Mitsubishi Electric MELSEC iQ-R, Q, and L Series CPU modules are vulnerable to uncontrolled resource consumption. When the CPU module receives a specially crafted packet from a malicious attacker, Ethernet communication may enter a denial-of-service condition and a reset is required to recover it.

CVE-2020-5652 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

joker63 of ZheJiangQiAnTechnology reported this vulnerability to Mitsubishi Electric.

4. MITIGATIONS

Mitsubishi Electric recommends users take the following mitigation measures to minimize the risk of exploiting this vulnerability:

• Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
• Use within a LAN and block access from untrusted networks and hosts through firewalls.

Please refer to Mitsubishi Electric’s website for details on available patches.
Mitsubishi Electric recommends users update their products by downloading and applying the latest versions. Please contact a Mitsubishi Electric representative for additional details.

For specific additional details, see [Mitsubishi Electric advisory 2020-013].(https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-013_en.pdf).

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Source:
https://www.cisa.gov/news-events/ics-advisories/icsa-20-303-01