Mitsubishi Electric MELSEC iQ-R, Q and L Series (Update E)

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 7.5 *ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Mitsubishi Electric
• Equipment: MELSEC iQ-R, Q, and L Series
• Vulnerability: Uncontrolled Resource Consumption

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause a denial-of-service
condition in the Ethernet port on the CPU module.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Mitsubishi Electric reports that the following MELSEC programmable controllers are affected:

• MELSEC iQ-R R00 CPU firmware: versions 20 and earlier
• MELSEC iQ-R R01 CPU firmware: versions 20 and earlier
• MELSEC iQ-R R02 CPU firmware: versions 20 and earlier
• MELSEC iQ-R R04 (EN) CPU firmware: versions 52 and earlier
• MELSEC iQ-R R08 (EN) CPU firmware: versions 52 and earlier
• MELSEC iQ-R R16 (EN) CPU firmware: versions 52 and earlier
• MELSEC iQ-R R32 (EN) CPU firmware: versions 52 and earlier
• MELSEC iQ-R R120 (EN) CPU firmware: versions 52 and earlier
• MELSEC iQ-R R08 SFCPU firmware: versions 22 and earlier
• MELSEC iQ-R R16 SFCPU firmware: versions 22 and earlier
• MELSEC iQ-R R32 SFCPU firmware: versions 22 and earlier
• MELSEC iQ-R R120 SFCPU firmware: versions 22 and earlier
• MELSEC iQ-R R08 PCPU firmware: versions 24 and earlier
• MELSEC iQ-R R16 PCPU firmware: versions 24 and earlier
• MELSEC iQ-R R32 PCPU firmware: versions 24 and earlier
• MELSEC iQ-R R120 PCPU firmware: versions 24 and earlier
• MELSEC iQ-R R08 PSFCPU firmware: versions 06 and earlier
• MELSEC iQ-R R16 PSFCPU firmware: versions 06 and earlier
• MELSEC iQ-R R32 PSFCPU firmware: versions 06 and earlier
• MELSEC iQ-R R120 PSFCPU firmware: versions 06 and earlier
• MELSEC iQ-R R16 MTCPU operating system software: versions 21 and earlier
• MELSEC iQ-R R32 MTCPU operating system software: versions 21 and earlier
• MELSEC iQ-R R64 MTCPU operating system software: versions 21 and earlier
• MELSEC Q Q03 UDECPU: the first 5 digits of serial number 22081 and earlier
• MELSEC Q Q04 UDEHCPU: the first 5 digits of serial number 22081 and earlier
• MELSEC Q Q06 UDEHCPU: the first 5 digits of serial number 22081 and earlier
• MELSEC Q Q10 UDEHCPU: the first 5 digits of serial number 22081 and earlier
• MELSEC Q Q13 UDEHCPU: the first 5 digits of serial number 22081 and earlier
• MELSEC Q Q20 UDEHCPU: the first 5 digits of serial number 22081 and earlier
• MELSEC Q Q26 UDEHCPU: the first 5 digits of serial number 22081 and earlier
• MELSEC Q Q50 UDEHCPU: the first 5 digits of serial number 22081 and earlier
• MELSEC Q Q100 UDEHCPU: the first 5 digits of serial number 22081 and earlier
• MELSEC Q Q03 UDVCPU: the first 5 digits of serial number 22031 and earlier
• MELSEC Q Q04 UDVCPU: the first 5 digits of serial number 22031 and earlier
• MELSEC Q Q06 UDVCPU: the first 5 digits of serial number 22031 and earlier
• MELSEC Q Q13 UDVCPU: the first 5 digits of serial number 22031 and earlier
• MELSEC Q Q26 UDVCPU: the first 5 digits of serial number 22031 and earlier
• MELSEC Q Q04 UDPVCPU: the first 5 digits of serial number 22031 and earlier
• MELSEC Q Q06 UDPVCPU: the first 5 digits of serial number 22031 and earlier
• MELSEC Q Q13 UDPVCPU: the first 5 digits of serial number 22031 and earlier
• MELSEC Q Q26 UDPVCPU: the first 5 digits of serial number 22031 and earlier
• MELSEC Q Q172 DCPU-S1 operating system software: versions V and earlier
• MELSEC Q Q173 DCPU-S1 operating system software: versions V and earlier
• MELSEC Q Q172 DSCPU operating system software: versions W and earlier
• MELSEC Q Q173 DSCPU operating system software: versions W and earlier
• MELSEC Q Q170 MCPU operating system software: versions V and earlier
• MELSEC Q Q170 MSCPU(-S1) operating system software: versions W and earlier
• MELSEC Q MR-MQ100 operating system software: versions E and earlier. This product is sold in limited regions.
• MELSEC L L02 CPU (-P): the first 5 digits of serial number 23121 and earlier
• MELSEC L L06 CPU (-P): the first 5 digits of serial number 23121 and earlier
• MELSEC L L26 CPU (-P): the first 5 digits of serial number 23121 and earlier
• MELSEC L L26 CPU - (P) BT: the first 5 digits of serial number 23121 and earlier

3.2 Vulnerability Overview

3.2.1Uncontrolled Resource Consumption CWE-400

Mitsubishi Electric MELSEC iQ-R, Q, and L Series CPU modules are vulnerable to uncontrolled resource consumption. When the CPU module receives a specially crafted packet from a malicious attacker, Ethernet communication may enter a denial-of-service condition and a reset is required to recover it.

CVE-2020-5652 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

joker63 of ZheJiangQiAnTechnology reported this vulnerability to Mitsubishi Electric.

4. MITIGATIONS

Mitsubishi Electric released the fixed version of the product. Refer to the list below to check if the version of your product is updatable and take the measures described after the list:

• MELSEC iQ-R R00 CPU firmware: Refer to “Appendix 2 Firmware Update Function” in the MELSEC iQ-R Module Configuration Manual
• MELSEC iQ-R R01 CPU firmware: Refer to “Appendix 2 Firmware Update Function” in the MELSEC iQ-R Module Configuration Manual
• MELSEC iQ-R R02 CPU firmware: Refer to “Appendix 2 Firmware Update Function” in the MELSEC iQ-R Module Configuration Manual
• MELSEC iQ-R R04 (EN) CPU firmware: Refer to “Appendix 2 Firmware Update Function” in the MELSEC iQ-R Module Configuration Manual
• MELSEC iQ-R R08 (EN) CPU firmware: Refer to “Appendix 2 Firmware Update Function” in the MELSEC iQ-R Module Configuration Manual
• MELSEC iQ-R R16 (EN) CPU firmware: Refer to “Appendix 2 Firmware Update Function” in the MELSEC iQ-R Module Configuration Manual
• MELSEC iQ-R R32 (EN) CPU firmware: Refer to “Appendix 2 Firmware Update Function” in the MELSEC iQ-R Module Configuration Manual
• MELSEC iQ-R R120 (EN) CPU firmware: Refer to “Appendix 2 Firmware Update Function” in the MELSEC iQ-R Module Configuration Manual
• MELSEC iQ-R R08 SFCPU firmware: Refer to “Appendix 2 Firmware Update Function” in the MELSEC iQ-R Module Configuration Manual
• MELSEC iQ-R R16 SFCPU firmware: Refer to “Appendix 2 Firmware Update Function” in the MELSEC iQ-R Module Configuration Manual
• MELSEC iQ-R R32 SFCPU firmware: Refer to “Appendix 2 Firmware Update Function” in the MELSEC iQ-R Module Configuration Manual
• MELSEC iQ-R R120 SFCPU firmware: Refer to “Appendix 2 Firmware Update Function” in the MELSEC iQ-R Module Configuration Manual
• MELSEC iQ-R R08 PCPU firmware: Refer to “Appendix 2 Firmware Update Function” in the MELSEC iQ-R Module Configuration Manual
• MELSEC iQ-R R16 PCPU firmware: Refer to “Appendix 2 Firmware Update Function” in the MELSEC iQ-R Module Configuration Manual
• MELSEC iQ-R R32 PCPU firmware: Refer to “Appendix 2 Firmware Update Function” in the MELSEC iQ-R Module Configuration Manual
• MELSEC iQ-R R120 PCPU firmware: Refer to “Appendix 2 Firmware Update Function” in the MELSEC iQ-R Module Configuration Manual
• MELSEC iQ-R R08 PSFCPU firmware: Refer to “Appendix 2 Firmware Update Function” in the MELSEC iQ-R Module Configuration Manual
• MELSEC iQ-R R16 PSFCPU firmware: Refer to “Appendix 2 Firmware Update Function” in the MELSEC iQ-R Module Configuration Manual
• MELSEC iQ-R R32 PSFCPU firmware: Refer to “Appendix 2 Firmware Update Function” in the MELSEC iQ-R Module Configuration Manual
• MELSEC iQ-R R120 PSFCPU firmware: Refer to “Appendix 2 Firmware Update Function” in the MELSEC iQ-R Module Configuration Manual
• MELSEC iQ-R R16 MTCPU operating system software: Updatable in all versions
• MELSEC iQ-R R32 MTCPU operating system software: Updatable in all versions
• MELSEC iQ-R R64 MTCPU operating system software: Updatable in all versions
• MELSEC Q Q03 UDECPU: Not updatable in any version
• MELSEC Q Q04 UDEHCPU: Not updatable in any version
• MELSEC Q Q06 UDEHCPU: Not updatable in any version
• MELSEC Q Q10 UDEHCPU: Not updatable in any version
• MELSEC Q Q13 UDEHCPU: Not updatable in any version
• MELSEC Q Q20 UDEHCPU: Not updatable in any version
• MELSEC Q Q26 UDEHCPU: Not updatable in any version
• MELSEC Q Q50 UDEHCPU: Not updatable in any version
• MELSEC Q Q100 UDEHCPU: Not updatable in any version
• MELSEC Q Q03 UDVCPU: Not updatable in any version
• MELSEC Q Q04 UDVCPU: Not updatable in any version
• MELSEC Q Q06 UDVCPU: Not updatable in any version
• MELSEC Q Q13 UDVCPU: Not updatable in any version
• MELSEC Q Q26 UDVCPU: Not updatable in any version
• MELSEC Q Q04 UDPVCPU: Not updatable in any version
• MELSEC Q Q06 UDPVCPU: Not updatable in any version
• MELSEC Q Q13 UDPVCPU: Not updatable in any version
• MELSEC Q Q26 UDPVCPU: Not updatable in any version
• MELSEC Q Q172 DCPU-S1 operating system software: Updatable in all versions
• MELSEC Q Q173 DCPU-S1 operating system software: Updatable in all versions
• MELSEC Q Q172 DSCPU operating system software: Updatable in all versions
• MELSEC Q Q173 DSCPU operating system software: Updatable in all versions
• MELSEC Q Q170 MCPU operating system software: Updatable in all versions
• MELSEC Q Q170 MSCPU(-S1) operating system software: Updatable in all versions
• MELSEC Q MR-MQ100 operating system software: Updatable in all versions
• MELSEC L L02 CPU (-P): Not updatable in any version
• MELSEC L L06 CPU (-P): Not updatable in any version
• MELSEC L L26 CPU (-P): Not updatable in any version
• MELSEC L L26 CPU - (P) BT: Not updatable in any version

In case your product is updatable, download a fixed update file from the following site and update the firmware or operating system software: <https://www.mitsubishielectric.com/fa/download/index.html&gt;

For the fixed versions, see Mitsubishi Electric advisory

Refer to below for detail on updating:

• “Appendix 2 Firmware Update Function” in the MELSEC iQ-R Module Configuration Manual
• “8.4 Installing the Operating System Software” in the MELSEC iQ-R Motion Controller Programing Manual (Common)
• “5.3 Operating System Software Installation Procedure” in the Q173D(S)/Q172(S)CPU Motion Controller User’s Manual
• “5.3 Operating System Software Installation Procedure” in the Q170MCPU Motion Controller User’s Manual
• “5.3 Operating System Software Installation Procedure” in the Q170MSCPU Motion Controller User’s Manual
• “5.3 Operating System Software Installation Procedure” in the MR-MQ100 Motion Controller User’s Manual (Details)

In case your product is not updatable, Mitsubishi Electric recommends users take the following mitigation measures to minimize the risk of exploiting this vulnerability:

• Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
• Use within a LAN and block access from untrusted networks and hosts through firewalls.

Please refer to Mitsubishi Electric’s website for details on available patches.
Mitsubishi Electric recommends users update their products by downloading and applying the latest versions. Please contact a Mitsubishi Electric representative for additional details.

For specific additional details, see [Mitsubishi Electric advisory 2020-013].(<https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-013_en.pdf&gt;).

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• October 29, 2020: Initial Publication
• May 18, 2021: Update A - Added an affected product
• January 13, 2022: Update B - Added additional affected products
• April 04, 2022: Update C - Added additional affected products
• December 19, 2023: Update D - Update to the researcher section and affected products
• September 05, 2024: Update E - Update to the affected products and mitigations