Mitsubishi Electric MELSEC iQ-R, Q, and L Series (Update E)
Monitor7.5ICS-CERT ICSA-20-303-01Oct 29, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in Mitsubishi Electric MELSEC iQ-R, Q, and L Series CPUs allows a remote attacker to trigger a denial-of-service condition on the Ethernet port by sending malicious network traffic. The vulnerability affects multiple CPU models including PCPU, PSFCPU, MTCPU, CPU, SFCPU variants and UDECPU, UDEHCPU, UDVCPU, UDPVCPU models in the Q Series, as well as L Series CPU variants. No vendor patch is currently available for any of the affected products. The condition causes the Ethernet interface to become unresponsive, disrupting communication between the CPU and connected devices such as engineering workstations and HMI systems.
What this means
What could happen
An attacker could send malicious network traffic to the Ethernet port on a MELSEC CPU module, causing the Ethernet interface to become unresponsive and interrupting communication between the PLC and engineering workstations, HMIs, or other control devices.
Who's at risk
Energy sector operators (electric utilities, generation facilities) using Mitsubishi Electric MELSEC iQ-R, Q, or L Series PLCs should care about this vulnerability. It affects PCPU, PSFCPU, MTCPU, CPU, SFCPU, UDECPU, UDEHCPU, UDVCPU, UDPVCPU, DCPU-S1, DSCPU, MCPU, MSCPU, and other variants in these product lines. Any facility relying on these CPUs for critical control functions is at risk.
How it could be exploited
An attacker on the same network segment (or with network routing to the PLC) sends specially crafted packets to the Ethernet port of a vulnerable MELSEC CPU. The CPU's network interface fails to handle the malicious traffic correctly, entering a denial-of-service condition that blocks normal Ethernet communication.
Prerequisites
- Network access to the Ethernet port of a MELSEC iQ-R, Q, or L Series CPU module
- No authentication required to trigger the denial-of-service condition
Remotely exploitableNo authentication requiredLow complexity attackNo patch available from vendorAffects control system communication
Exploitability
Moderate exploit probability (EPSS 3.0%)
Affected products (52)
52 pending
ProductAffected VersionsFix Status
MELSEC iQ-R R120 PCPU firmware: <=24≤ 24No fix yet
MELSEC iQ-R R08 PSFCPU firmware: <=06≤ 06No fix yet
MELSEC iQ-R R16 PSFCPU firmware: <=06≤ 06No fix yet
MELSEC iQ-R R32 PSFCPU firmware: <=06≤ 06No fix yet
MELSEC iQ-R R120 PSFCPU firmware: <=06≤ 06No fix yet
Remediation & Mitigation
0/4
Do now
0/2HARDENINGRestrict network access to MELSEC CPU Ethernet ports using a firewall or industrial switch ACL. Allow only trusted engineering workstations and HMI systems to communicate with the CPU.
WORKAROUNDMonitor Ethernet port status on MELSEC CPUs for unexpected loss of connectivity that could indicate an active denial-of-service attack.
Long-term hardening
0/2HARDENINGIsolate MELSEC control systems on a separate VLAN or air-gapped network segment from the business network and the internet.
HARDENINGReview the MELSEC iQ-R Module Configuration Manual Appendix 2 to understand available firmware update procedures and prepare a maintenance window if patches become available in the future.
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/fe775bcb-235b-4f99-b42f-6c2ab5591d67