Mitsubishi Electric MELSEC iQ-R Series (Update C)

Plan PatchCVSS 7.5ICS-CERT ICSA-20-324-05Nov 19, 2020

Mitsubishi ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

This vulnerability is a resource handling flaw (CWE-400) in Mitsubishi Electric MELSEC iQ-R Series controllers. Successful exploitation causes a denial-of-service condition that makes the affected controller unresponsive. The affected products include multiple CPU module variants (R00/01/02CPU, R04/08/16/32/120(EN)CPU, R08/16/32/120SFCPU, R08/16/32/120PCPU, R08/16/32/120PSFCPU) and network gateway modules (RJ71EN71, RJ71GF11-T2, RJ72GF15-T2, RJ71GP21-SX, RJ71GP21S-SX, RJ71GN11-T2). Note that RJ71C24(-R2/R4) has no available patch. The vulnerability has a CVSS score of 7.5 and is not currently being actively exploited in the wild.

What this means

What could happen

An attacker with network access to affected Mitsubishi iQ-R controllers could send crafted network traffic that causes the device to stop responding (denial of service). This would interrupt all operations controlled by that device until it is manually restarted.

Who's at risk

Energy utilities and water authorities running Mitsubishi Electric MELSEC iQ-R Series controllers (CPU modules, Ethernet gateway modules) used for critical operations such as power generation, distribution, water treatment, and pump control systems. Any facility using these controllers for real-time process control is affected.

How it could be exploited

An attacker on your plant network or from the internet (if the controller is Internet-facing) sends a specially crafted network packet to the affected Mitsubishi CPU module. The malformed traffic exploits a resource handling flaw that exhausts the device's processing capacity, making it unresponsive to legitimate commands.

Prerequisites

Network access to the affected Mitsubishi iQ-R controller on port 502 (Modbus) or native Mitsubishi port 8000
No authentication required to send the malicious packet
Attacker must know or discover the controller's network address

remotely exploitableno authentication requiredlow complexity attackaffects critical operations and availabilitymultiple products and versions affected

Exploitability

Some exploitation risk — EPSS score 3.1%

Affected products (12)

11 with fix1 EOL

ProductAffected VersionsFix Status

R00/01/02CPU: firmware≤ 1920+

R04/08/16/32/120(EN)CPU: firmware≤ 5152+

R08/16/32/120PCPU: firmware≤ 2526+

RJ71EN71: firmware≤ 4748+

RJ71GF11-T2: firmware≤ 4748+

RJ71GP21-SX: firmware≤ 4748+

RJ71GP21S-SX: firmware≤ 4748+

RJ71C24(-R2/R4): all versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/14

Do now

0/2

HARDENINGConfigure firewalls to restrict network access to Mitsubishi controllers from untrusted networks and the Internet

HARDENINGUse a VPN if remote access to controllers is required; block all direct Internet access

Schedule — requires maintenance window

0/11

Patching may require device reboot — plan for process interruption

Mitigations - no patch available

0/1

RJ71C24(-R2/R4): all versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate industrial control networks from corporate networks

CVEs (1)

CVE-2020-5668

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/400d95e9-b901-4ceb-ae9f-adcc39be2c6b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.