(I)IoT Security News
Market, News, Recommendations, Standards

Mitsubishi Electric MELSEC iQ-R Series (Update A)

1. EXECUTIVE SUMMARY

2. UPDATE INFORMATION

This updated advisory is a follow-up to the original advisory titled “ICSA-21-287-03 Mitsubishi Electric MELSEC iQ-R Series” that was published October 14, 2021, on the ICS webpage on cisa.gov/ICS

3.RISK EVALUATION

Successful exploitation of this vulnerability could allow a remote attacker to be able to log in to the CPU module by obtaining credentials.

4. TECHNICAL DETAILS

4.1 AFFECTED PRODUCTS

——— Begin Update A part 1 of 2 ———

Mitsubishi Electric reports the vulnerability affects the following MELSEC CPU Modules: 

4.2 VULNERABILITY OVERVIEW

4.2.1    CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION VULNERABILITY CWE-319

——— End Update A part 1 of 2 ———

An unauthorized remote attacker may be able to log in to the CPU module by obtaining credentials other than password.

CVE-2021-20599 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

4.3 BACKGROUND

4.4 RESEARCHER

Ivan Speziale of Nozomi Networks reported this vulnerability to CISA.

5. MITIGATIONS

——— Begin Update A part 2 of 2 ———

Mitsubishi Electric has prepared the following countermeasures: 

Mitsubishi Electric will release updates for other products.

——— End Update A part 2 of 2 ———

Mitsubishi Electric recommends users take the following mitigation measures to minimize risk associated with this vulnerability:

Please refer to the Mitsubishi Electric advisory for further details.
Source:

https://www.cisa.gov/uscert/ics/advisories/icsa-21-287-03

Related posts

Siemens KTK, SIDOOR, SIMATIC, and SINAMICS

(I) IoT
5 years ago

Siemens OPC UA Protocol Stack Discovery Service (Update D)

(I) IoT
4 years ago

Siemens TIM 4R-IE Devices

(I) IoT
4 years ago
Exit mobile version