Mitsubishi Electric MELSEC iQ-R Series

Monitor5.3ICS-CERT ICSA-21-147-05May 27, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The MELSEC iQ-R series controllers have a resource exhaustion vulnerability in their Ethernet communication interface. An attacker can send crafted connection requests to port 5007 (TCP) or the MELSOFT transmission port to exhaust available connection slots, preventing legitimate clients such as engineering workstations and SCADA systems from connecting to the controller. This results in denial of service and loss of visibility and control over the affected process. Mitsubishi Electric has not released a patch for any of the affected CPU models (R08/16/32/120SFCPU, R00/01/02CPU, R08/16/32/120PCPU, R04/08/16/32/120(EN)CPU, R08/16/32/120PSFCPU). If exploited, the connection can be restored by disabling the port with the forced connection invalidation function and then re-enabling it.

What this means

What could happen

An attacker can cause a denial of service against the MELSEC iQ-R controller by exhausting connection resources, preventing legitimate engineering workstations and SCADA systems from connecting and monitoring or controlling the facility.

Who's at risk

This affects all operators and engineers running Mitsubishi Electric MELSEC iQ-R series programmable logic controllers (PLCs) used in energy facilities, power distribution systems, and other industrial processes that rely on remote engineering access or SCADA communication over Ethernet.

How it could be exploited

An attacker with network access to the Ethernet port of the controller can send specially crafted connection requests to port 5007 (TCP) or the MELSOFT transmission port, exhausting available connection slots and blocking legitimate clients from establishing communication with the device.

Prerequisites

Network access to port 5007 (TCP) or MELSOFT transmission port on the controller
No authentication required
Controller must have Ethernet enabled and accessible from the attacker's network

Remotely exploitableNo authentication requiredLow attack complexityNo patch available (EOL products)Affects control of industrial processes

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (5)

5 EOL

ProductAffected VersionsFix Status

R08/16/32/120SFCPU: All versionsAll versionsNo fix (EOL)

R00/01/02CPU: All versionsAll versionsNo fix (EOL)

R08/16/32/120PCPU: All versionsAll versionsNo fix (EOL)

R04/08/16/32/120(EN)CPU: All versionsAll versionsNo fix (EOL)

R08/16/32/120PSFCPU: All versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGDeploy a firewall or network access control list to restrict access to ports 5007 (TCP) and the MELSOFT transmission port to only trusted engineering workstations and SCADA systems

HARDENINGEnable the IP filter function on the controller to restrict which IP addresses can connect; configure it to allow only known authorized systems

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

WORKAROUNDDisable port 5007 (TCP) if MELSOFT transmission is not required; set b2 to '1' in the Buffer Memory configuration as documented in the MELSEC iQ-R Ethernet User's Manual

WORKAROUNDUse UDP/IP for MELSOFT transmission instead of TCP/IP where possible

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: R08/16/32/120SFCPU: All versions, R00/01/02CPU: All versions, R08/16/32/120PCPU: All versions, R04/08/16/32/120(EN)CPU: All versions, R08/16/32/120PSFCPU: All versions. Apply the following compensating controls:

HARDENINGSegment the controller onto a restricted LAN, blocking all inbound access from untrusted networks

CVEs (1)

CVE-2021-20591

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/10f52c64-3989-4171-989f-00ebbdc0ad41