Mitsubishi Electric MELSEC iQ-R Series (Update C)

MonitorCVSS 5.3ICS-CERT ICSA-20-161-02Jun 9, 2020

Mitsubishi ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Mitsubishi Electric MELSEC iQ-R series CPUs are vulnerable to denial-of-service attacks on their Ethernet ports when specially crafted packets are received. The vulnerability affects RJ71EN71 (firmware <= 49), R00/01/02CPU (firmware <= 7), R04/08/16/32/120CPU and R04/08/16/32/120ENCPU (firmware <= 39), R08/16/32/120SFCPU (firmware <= 20), R08/16/32/120PCPU (firmware <= 24), and R08/16/32/120PSFCPU (firmware <= 05). Successful exploitation causes the Ethernet port to enter a denial-of-service condition, preventing legitimate communications with the controller.

What this means

What could happen

An attacker could send specially crafted packets to the Ethernet port of affected Mitsubishi MELSEC iQ-R CPUs, causing the port to stop accepting legitimate communications and disrupting remote monitoring and control of the industrial process.

Who's at risk

Utilities and manufacturers operating Mitsubishi Electric MELSEC iQ-R series programmable logic controllers (CPUs) in power generation, distribution, or other energy production environments. Affected models include RJ71EN71, R00/01/02CPU, R04/08/16/32/120CPU, R04/08/16/32/120ENCPU, R08/16/32/120SFCPU, R08/16/32/120PCPU, and R08/16/32/120PSFCPU devices running older firmware versions.

How it could be exploited

An attacker with network access to the Ethernet port would send malformed packets designed to trigger the denial-of-service condition. The attack requires no authentication and can be launched from any network device that can reach the CPU's Ethernet interface, such as a compromised workstation on the same network or across an untrusted network connection.

Prerequisites

Network access to the Ethernet port of the affected CPU
No authentication required
Ability to send specially crafted packets to the CPU's network interface

Remotely exploitableNo authentication requiredLow complexityAffects operational control systems in energy sectorDoS disrupts communications to PLC

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

R08/16/32/120SFCPU: Firmware≤ 2021+

R08/16/32/120PCPU: Firmware≤ 2425+

RJ71EN71: Firmwar≤ 4950+

R00/01/02CPU: Firmware≤ 78+

R04/08/16/32/120CPU R04/08/16/32/120ENCPU: Firmware≤ 3940+

R08/16/32/120PSFCPU: Firmware≤ 056+

Remediation & Mitigation

0/9

Do now

0/2

WORKAROUNDConfigure firewalls and network access controls to restrict access to the Ethernet ports of MELSEC CPUs from untrusted networks and hosts

HARDENINGVerify that MELSEC modules are not connected to untrusted networks or hosts; document trusted network connections only

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

HOTFIXUpdate RJ71EN71 to firmware version 50 or later

HOTFIXUpdate R04/08/16/32/120CPU and R04/08/16/32/120ENCPU to firmware version 40 or later

HOTFIXUpdate R08/16/32/120SFCPU to firmware version 21 or later

HOTFIXUpdate R08/16/32/120PCPU to firmware version 25 or later

HOTFIXUpdate R08/16/32/120PSFCPU to firmware version 06 or later

HOTFIXUpdate R00/01/02CPU to firmware version 8 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate MELSEC systems from non-essential network traffic and untrusted devices

CVEs (1)

CVE-2020-13238

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f20f34b0-abfa-4ece-a42f-c5c43fd8dd2b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.