Mitsubishi Electric MELSEC-Q Series Ethernet Interface Module Vulnerabilities

Plan Patch8.6ICS-CERT ICSA-16-336-03Sep 4, 2016

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Mitsubishi Electric MELSEC-Q Series Ethernet Interface Modules (QJ71E71-100, QJ71E71-B5, QJ71E71-B2) contain cryptographic weaknesses (CWE-327) and missing security features (CWE-412). These modules handle industrial control network traffic and do not properly implement secure communication protocols. An attacker with network access to the Ethernet interface can capture and potentially decrypt sensitive control commands.

What this means

What could happen

An attacker on the network could capture and decrypt communications between engineering workstations and MELSEC-Q PLCs, potentially exposing or modifying control commands sent to industrial equipment.

Who's at risk

Energy sector utilities operating Mitsubishi MELSEC-Q Series programmable logic controllers (PLCs) with QJ71E71 Ethernet interface modules should be concerned. These modules are commonly used in power generation, distribution automation, and substation control systems. Any facility using these modules for critical process control is at risk of network-based eavesdropping.

How it could be exploited

An attacker with network access to the Ethernet segment where the QJ71E71 module is connected can passively intercept network traffic. Weak cryptography (CWE-327) allows the attacker to decrypt this traffic and read control commands, setpoints, or other sensitive data being transmitted to the PLC.

Prerequisites

Network access to the Ethernet segment where the MELSEC-Q PLC is connected
Ability to sniff or intercept Ethernet traffic (attacker can be on same LAN or have routed access to the PLC network)

remotely exploitableno authentication required to intercept trafficlow complexity attackno patch availableaffects critical industrial control systems

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

QJ71E71-100: vers:all/*All versionsNo fix (EOL)

QJ71E71-B5: vers:all/*All versionsNo fix (EOL)

QJ71E71-B2: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGImplement network segmentation and firewall rules to restrict access to the MELSEC-Q Ethernet interface to only authorized engineering workstations and control systems.

HARDENINGMonitor and log all connections to the QJ71E71 Ethernet modules. Alert on unexpected connection attempts or traffic patterns.

WORKAROUNDUse a VPN or encrypted tunnel if remote engineering access to MELSEC-Q systems is required, as the module's native encryption is weak.

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: QJ71E71-100: vers:all/*, QJ71E71-B5: vers:all/*, QJ71E71-B2: vers:all/*. Apply the following compensating controls:

HARDENINGIsolate MELSEC-Q systems on a dedicated, air-gapped control network if possible. Minimize direct network connections to corporate IT or external networks.

CVEs (2)

CVE-2016-8370 CVE-2016-8368

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8b7ff740-7389-4258-9bfc-e592201e9fe2