OTPulse

JTEKT TOYOPUC products

MonitorCVSS 7.5ICS-CERT ICSA-21-103-03Apr 13, 2021
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

JTEKT TOYOPUC programmable logic controllers contain a vulnerability (CWE-404) in Ethernet communication handling that allows an attacker to prevent or disrupt Ethernet connections between devices. The vulnerability affects 18 product models across the Plus CPU, Plus EFR, PC10 series, and related I/O module lines. An attacker on the network segment could send specific packets that cause the Ethernet interface to refuse new connections, blocking communication until the connection state times out or is manually reset. JTEKT has not released firmware patches for any affected product models.

What this means
What could happen
An attacker could disrupt Ethernet communications between JTEKT TOYOPUC PLCs and other networked devices, potentially halting data exchange needed for process monitoring and control until connections are re-established.
Who's at risk
Water authorities and electric utilities using JTEKT TOYOPUC programmable controllers (PLC family) for process automation, including Plus series CPUs (TCU/TCC models) and I/O modules with Ethernet connectivity. Affects any facility that depends on PLC-to-PLC or PLC-to-SCADA communication over Ethernet for real-time process monitoring and control.
How it could be exploited
An attacker on the same network as a JTEKT TOYOPUC PLC could send specially crafted packets to stop Ethernet communication channels from being established, severing network connectivity between the PLC and its connected devices (other PLCs, monitoring systems, engineering workstations).
Prerequisites
  • Network access to the PLC and connected devices on the same Ethernet segment
  • Ability to send network packets to the PLC
Remotely exploitableNo authentication requiredLow complexity attackNo vendor patch available (end-of-life products)Affects multiple PLC models across product line
Exploitability
Unlikely to be exploited — EPSS score 0.3%
Affected products (18)
18 EOL
ProductAffected VersionsFix Status
Plus EX2 TCU-6858: All versionsAll versionsNo fix (EOL)
PC10G-CPU TCC-6353: All versionsAll versionsNo fix (EOL)
PC10B-P TCC-6373: All versionsAll versionsNo fix (EOL)
Plus BUS-EX TCU-6900: All versionsAll versionsNo fix (EOL)
PC10GE TCC-6464: All versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2
WORKAROUNDEnable the Non-Reception timer in the Ethernet link parameters (access via link parameter screen > Timers > set Non-Reception timer to Enable)
WORKAROUNDConnect PLC to engineering workstation via USB cable and write the updated link parameters to the device
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDPerform device reset/restart or power cycle to activate the parameter changes
Mitigations - no patch available
0/2
The following products have reached End of Life with no planned fix: Plus EX2 TCU-6858: All versions, PC10G-CPU TCC-6353: All versions, PC10B-P TCC-6373: All versions, Plus BUS-EX TCU-6900: All versions, PC10GE TCC-6464: All versions, Plus CPU TCC-6740: All versions, Plus EFR TCU-6743: All versions, 2PORT-EFR THU-6404: All versions, PC10P-DP-IO TCC-6752: All versions, Plus EX TCU-6741: All versions, PC10E TCC-4737: All versions, Plus EFR2 TCU-6859: All versions, PC10B-E/C TCU-6521: All versions, PC10P-DP TCC-6726: All versions, PC10P TCC-6372: All versions, Plus 2P-EFR TCU-6929: All versions, PC10B TCC-1021: All versions, FL/ET-T-V2H THU-6289: All versions. Apply the following compensating controls:
HARDENINGIsolate TOYOPUC PLC devices from the Internet and locate them behind firewalls on a segregated control network
HARDENINGRestrict network access to TOYOPUC devices to only authorized engineering workstations and control systems
View full CISA ICS-CERT advisory
API: /api/v1/advisories/a2a8dd06-805d-4f4d-a83b-05e4545c1004

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

JTEKT TOYOPUC products | CVSS 7.5 - OTPulse