(I)IoT Security News
Critical vulnerabiliities, IoT Security, Market, News, Recommendations

Mitsubishi Electric MELSEC iQ-R Series

1. EXECUTIVE SUMMARY

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to cause a denial-of-service condition on a target product by sending specially crafted packets. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Mitsubishi Electric MELSEC iQ-R Series products are affected: 

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER INPUT VALIDATION CWE-20 

MELSEC iQ-R Series RJ71EN71 products with firmware versions prior to “65” and R04/08/16/32/120ENCPU products with Network firmware versions prior to “65” are vulnerable to improper input validation. A remote unauthenticated user could cause a denial-of-service condition on a target product by sending specially crafted packets. A system reset is required to recover from a denial-of-service condition. 

CVE-2022-40265 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H). 

3.3 BACKGROUND

3.4 RESEARCHER

Mitsubishi Electric reported this vulnerability to CISA. 

4. MITIGATIONS

Mitsubishi Electric has fixed the vulnerability in the following MELSEC iQ-R Series products: 

Users should refer to the following product manual for instructions to update firmware: 

Mitsubishi Electric recommends users take the following mitigation measures to minimize the risk of an unauthenticated user exploiting this vulnerability: 

Note: For using the IP filter function, users should see MELSEC iQ-R Ethernet User’s Manual (Application) Security “IP filter” 

Users can refer to the Mitsubishi Electric advisory for further details.  

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Source:

https://www.cisa.gov/uscert/ics/advisories/icsa-22-335-01

Related posts

Telecrane F25 Series

(I) IoT
6 years ago

Boys Town Healthcare Data Breach Exposed Personal Details of Patients

(I) IoT
6 years ago

7 Variants of Mirai (So Far)

IoT
6 years ago
Exit mobile version