(I)IoT Security News
Critical vulnerabiliities, ICS, Recommendations

Mitsubishi Electric MELSEC iQ-R, Q and L Series

1. EXECUTIVE SUMMARY

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause a denial-of-service condition in the Ethernet port on the CPU module.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Mitsubishi Electric reports that the following MELSEC programmable controllers are affected:

3.2 Vulnerability Overview

3.2.1 Uncontrolled Resource Consumption CWE-400

Mitsubishi Electric MELSEC iQ-R, Q, and L Series CPU modules are vulnerable to uncontrolled resource consumption. When the CPU module receives a specially crafted packet from a malicious attacker, Ethernet communication may enter a denial-of-service condition and a reset is required to recover it.

CVE-2020-5652 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

3.4 RESEARCHER

joker63 of ZheJiangQiAnTechnology reported this vulnerability to Mitsubishi Electric.

4. MITIGATIONS

Mitsubishi Electric recommends users take the following mitigation measures to minimize the risk of exploiting this vulnerability:

Please refer to Mitsubishi Electric’s website for details on available patches.
Mitsubishi Electric recommends users update their products by downloading and applying the latest versions. Please contact a Mitsubishi Electric representative for additional details.

For specific additional details, see [Mitsubishi Electric advisory 2020-013].(https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-013_en.pdf).

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Source:
https://www.cisa.gov/news-events/ics-advisories/icsa-20-303-01

Related posts

Mitsubishi Electric FA Engineering Software

IoT
1 year ago

Treck TCP/IP Stack

(I) IoT
4 years ago

Automation Direct CLICK PLC CPU Modules

(I) IoT
3 years ago
Exit mobile version