Mitsubishi Electric MELSEC iQ-R, Q, and L Series (Update E)

MonitorCVSS 7.5ICS-CERT ICSA-20-303-01Oct 29, 2020

Mitsubishi ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in Mitsubishi Electric MELSEC iQ-R, Q, and L Series CPUs allows a remote attacker to trigger a denial-of-service condition on the Ethernet port by sending malicious network traffic. The vulnerability affects multiple CPU models including PCPU, PSFCPU, MTCPU, CPU, SFCPU variants and UDECPU, UDEHCPU, UDVCPU, UDPVCPU models in the Q Series, as well as L Series CPU variants. No vendor patch is currently available for any of the affected products. The condition causes the Ethernet interface to become unresponsive, disrupting communication between the CPU and connected devices such as engineering workstations and HMI systems.

What this means

What could happen

An attacker could send malicious network traffic to the Ethernet port on a MELSEC CPU module, causing the Ethernet interface to become unresponsive and interrupting communication between the PLC and engineering workstations, HMIs, or other control devices.

Who's at risk

Energy sector operators (electric utilities, generation facilities) using Mitsubishi Electric MELSEC iQ-R, Q, or L Series PLCs should care about this vulnerability. It affects PCPU, PSFCPU, MTCPU, CPU, SFCPU, UDECPU, UDEHCPU, UDVCPU, UDPVCPU, DCPU-S1, DSCPU, MCPU, MSCPU, and other variants in these product lines. Any facility relying on these CPUs for critical control functions is at risk.

How it could be exploited

An attacker on the same network segment (or with network routing to the PLC) sends specially crafted packets to the Ethernet port of a vulnerable MELSEC CPU. The CPU's network interface fails to handle the malicious traffic correctly, entering a denial-of-service condition that blocks normal Ethernet communication.

Prerequisites

Network access to the Ethernet port of a MELSEC iQ-R, Q, or L Series CPU module
No authentication required to trigger the denial-of-service condition

Remotely exploitableNo authentication requiredLow complexity attackNo patch available from vendorAffects control system communication

Exploitability

Some exploitation risk — EPSS score 3.0%

Affected products (52)

52 pending

ProductAffected VersionsFix Status

MELSEC iQ-R R120 PCPU firmware: <=24≤ 24No fix yet

MELSEC iQ-R R08 PSFCPU firmware: <=06≤ 06No fix yet

MELSEC iQ-R R16 PSFCPU firmware: <=06≤ 06No fix yet

MELSEC iQ-R R32 PSFCPU firmware: <=06≤ 06No fix yet

MELSEC iQ-R R120 PSFCPU firmware: <=06≤ 06No fix yet

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict network access to MELSEC CPU Ethernet ports using a firewall or industrial switch ACL. Allow only trusted engineering workstations and HMI systems to communicate with the CPU.

WORKAROUNDMonitor Ethernet port status on MELSEC CPUs for unexpected loss of connectivity that could indicate an active denial-of-service attack.

Long-term hardening

0/2

HARDENINGIsolate MELSEC control systems on a separate VLAN or air-gapped network segment from the business network and the internet.

HARDENINGReview the MELSEC iQ-R Module Configuration Manual Appendix 2 to understand available firmware update procedures and prepare a maintenance window if patches become available in the future.

CVEs (1)

CVE-2020-5652

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fe775bcb-235b-4f99-b42f-6c2ab5591d67

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.