1. EXECUTIVE SUMMARY
- CVSS v3 9.1
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Mitsubishi Electric Corporation
- Equipment: MELSEC iQ-R Series CPU Module
- Vulnerability: Cleartext Transmission of Sensitive Information
2. UPDATE INFORMATION
This updated advisory is a follow-up to the original advisory titled “ICSA-21-287-03 Mitsubishi Electric MELSEC iQ-R Series” that was published October 14, 2021, on the ICS webpage on cisa.gov/ICS
3.RISK EVALUATION
Successful exploitation of this vulnerability could allow a remote attacker to be able to log in to the CPU module by obtaining credentials.
4. TECHNICAL DETAILS
4.1 AFFECTED PRODUCTS
——— Begin Update A part 1 of 2 ———
Mitsubishi Electric reports the vulnerability affects the following MELSEC CPU Modules:
- MELSEC iQ-R series Safety CPU R08/16/32/120SFCPU: Firmware versions “26” and prior
- MELSEC iQ-R series SIL2 Process CPU R08/16/32/120PSFCPU: all versions
4.2 VULNERABILITY OVERVIEW
4.2.1 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION VULNERABILITY CWE-319
——— End Update A part 1 of 2 ———
An unauthorized remote attacker may be able to log in to the CPU module by obtaining credentials other than password.
CVE-2021-20599 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
4.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Japan
4.4 RESEARCHER
Ivan Speziale of Nozomi Networks reported this vulnerability to CISA.
5. MITIGATIONS
——— Begin Update A part 2 of 2 ———
Mitsubishi Electric has prepared the following countermeasures:
- MELSEC iQ-R series Safety CPU R08/16/32/120SFCPU: Firmware versions “27” or later
Mitsubishi Electric will release updates for other products.
——— End Update A part 2 of 2 ———
Mitsubishi Electric recommends users take the following mitigation measures to minimize risk associated with this vulnerability:
- Use a firewall or virtual private network (VPN) to prevent unauthorized access when Internet access is required.
- Use within a LAN and block access from untrusted networks and hosts through firewalls.
- Use the IP filter function to restrict the accessible IP addresses.
Please refer to the Mitsubishi Electric advisory for further details.
Source: