Mitsubishi Electric MELSEC iQ-R, Q, L Series and MELIPC Series (Update C)

1. EXECUTIVE SUMMARY

• CVSS v3 7.5 *ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Mitsubishi Electric
• Equipment: MELSEC iQ-R, Q, and L Series CPU Module; MELIPC Series CPU
• Vulnerability: Improper Resource Locking

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in a denial-of-service condition for Ethernet communication. A system restart would be required to restore functionality.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Mitsubishi Electric products are affected:

• MELSEC iQ-R Series R12CCPU-V CPU Firmware: Version 16 and prior
• MELSEC Q Series Q03UDECPU: Versions with the first 5 digits of serial number 24061 and prior
• MELSEC Q Series Q04UDECPU: Versions with the first 5 digits of serial number 24061 and prior
• MELSEC Q Series Q06UDECPU: Versions with the first 5 digits of serial number 24061 and prior
• MELSEC Q Series Q10UDECPU: Versions with the first 5 digits of serial number 24061 and prior
• MELSEC Q Series Q13UDECPU: Versions with the first 5 digits of serial number 24061 and prior
• MELSEC Q Series Q20UDECPU: Versions with the first 5 digits of serial number 24061 and prior
• MELSEC Q Series Q26UDECPU: Versions with the first 5 digits of serial number 24061 and prior
• MELSEC Q Series Q50UDECPU: Versions with the first 5 digits of serial number 24061 and prior
• MELSEC Q Series Q100UDECPU: Versions with the first 5 digits of serial number 24061 and prior
• MELSEC Q Series Q03UDVCPU: Versions with the first 5 digits of serial number 24051 and prior
• MELSEC Q Series Q04UDVCPU: Versions with the first 5 digits of serial number 24051 and prior
• MELSEC Q Series Q06UDVCPU: Versions with the first 5 digits of serial number 24051 and prior
• MELSEC Q Series Q13UDVCPU: Versions with the first 5 digits of serial number 24051 and prior
• MELSEC Q Series Q26UDVCPU: Versions with the first 5 digits of serial number 24051 and prior
• MELSEC Q Series Q04UDPVCPU: Versions with the first 5 digits of serial number 24051 and prior
• MELSEC Q Series Q06UDPVCPU: Versions with the first 5 digits of serial number 24051 and prior
• MELSEC Q Series Q13UDPVCPU: Versions with the first 5 digits of serial number 24051 and prior
• MELSEC Q Series Q26UDPVCPU: Versions with the first 5 digits of serial number 24051 and prior
• MELSEC Q Series Q12DCCPU-V: Versions with the first 5 digits of serial number 25061 and prior
• MELSEC Q Series Q24DHCCPU-V(G): Versions with the first 5 digits of serial number 25061 and prior
• MELSEC Q Series Q24DHCCPU-LS: Versions with the first 5 digits of serial number 25061 and prior
• MELSEC Q Series Q26DHCCPU-LS: Versions with the first 5 digits of serial number 25061 and prior
• MELSEC L Series L02CPU(-P): Versions with the first 5 digits of serial number 24051 and prior
• MELSEC L Series L06CPU(-P): Versions with the first 5 digits of serial number 24051 and prior
• MELSEC L Series L26CPU(-P): Versions with the first 5 digits of serial number 24051 and prior
• MELSEC L Series L26CPU-(P)BT: Versions with the first 5 digits of serial number 24051 and prior
• MELIPC Series MI5122-VW CPU Firmware: Version 05 and prior

3.2 Vulnerability Overview

3.2.1IMPROPER RESOURCE LOCKING CWE-413

The affected product is vulnerable to a stack-based buffer overflow, which may allow an attacker to remotely execute arbitrary code.

CVE-2022-24946 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Mitsubishi Electric reported this vulnerability to CISA.

4. MITIGATIONS

Mitsubishi has fixed the vulnerability in the following products:

• MELSEC iQ-R Series R12CCPU-V CPU: Firmware Version 17 and later
• MELSEC Q Series Q03UDECPU: Versions with the first 5 digits of serial No. 24062 and later
• MELSEC Q Series Q04UDECPU: Versions with the first 5 digits of serial No. 24062 and later
• MELSEC Q Series Q06UDECPU: Versions with the first 5 digits of serial No. 24062 and later
• MELSEC Q Series Q10UDECPU: Versions with the first 5 digits of serial No. 24062 and later
• MELSEC Q Series Q13UDECPU: Versions with the first 5 digits of serial No. 24062 and later
• MELSEC Q Series Q20UDECPU: Versions with the first 5 digits of serial No. 24062 and later
• MELSEC Q Series Q26UDECPU: Versions with the first 5 digits of serial No. 24062 and later
• MELSEC Q Series Q50UDECPU: Versions with the first 5 digits of serial No. 24062 and later
• MELSEC Q Series Q100UDECPU: Versions with the first 5 digits of serial No. 24052 and later
• MELSEC Q Series Q03UDVCPU: Versions with the first 5 digits of serial No. 24052 and later
• MELSEC Q Series Q04UDVCPU: Versions with the first 5 digits of serial No. 24052 and later
• MELSEC Q Series Q06UDVCPU: Versions with the first 5 digits of serial No. 24052 and later
• MELSEC Q Series Q13UDVCPU: Versions with the first 5 digits of serial No. 24052 and later
• MELSEC Q Series Q26UDVCPU: Versions with the first 5 digits of serial No. 24052 and later
• MELSEC Q Series Q04UDPVCPU: Versions with the first 5 digits of serial No. 24052 and later
• MELSEC Q Series Q06UDPVCPU: Versions with the first 5 digits of serial No. 24052 and later
• MELSEC Q Series Q13UDPVCPU: Versions with the first 5 digits of serial No. 24052 and later
• MELSEC Q Series Q26UDPVCPU: Versions with the first 5 digits of serial No. 24052 and later
• MELSEC Q Series Q12DCCPU-V: Versions with the first 5 digits of serial No. 25062 and later
• MELSEC Q Series Q24DHCCPU-V(G): Versions with the first 5 digits of serial No. 25062 and later
• MELSEC Q Series Q24DHCCPU-LS: Versions with the first 5 digits of serial No. 25062 and later
• MELSEC Q Series Q26DHCCPU-LS: Versions with the first 5 digits of serial No. 25062 and later
• MELSEC L Series L02CPU(-P): Versions with the first 5 digits of serial No. 24052 and later
• MELSEC L Series L06CPU(-P): Versions with the first 5 digits of serial No. 24052 and later
• MELSEC L Series L26CPU(-P): Versions with the first 5 digits of serial No. 24052 and later
• MELSEC L Series L26CPU-(P)BT: Versions with the first 5 digits of serial No. 24052 and later
• MELIPC Series MI5122-VW CPU: Firmware Version 06 and later

Mitsubishi Electric recommends customers apply the following countermeasures:

MELSEC iQ-R Series:

• Customers using the MELSEC iQ-R Series firmware versions 08 and prior will be unable to update to the fixed version. Take the mitigation measures that are common to all affected products found later in the advisory.
• Customers using the MELSEC iQ-R Series firmware versions 09 and later are recommended to download and install the updated firmware. Please refer to the MELSEC iQ-R Module Configuration Manual “Appendix 2 Firmware Update Function” for instructions on how to update the firmware.

MELSEC Q Series:

• Customers using the MELSEC Q Series will be unable to update to the respective fixed versions. Mitsubishi Electric recommends customers consider migrating to the MELSEC iQ-R Series. Take the mitigation measures that are common to all affected products found later in the advisory.

MELSEC L Series:

• Customers using the MELSEC L Series will be unable to update to the respective fixed versions. Mitsubishi Electric recommends customers consider migrating to the MELSEC iQ-R Series. Take the mitigation measures that are common to all affected products found later in the advisory.

MELIPC Series:

• Customers using the MELIPC Series will be unable to update to the fixed version. Take the mitigation measures that are common to all affected products found later in the advisory.

Mitsubishi Electric recommends the following mitigation measures as being common to all affected products:

• Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
• Use within a LAN and block access from untrusted networks and hosts through firewalls.

For additional information, such as how to check device or firmware versions, see the Mitsubishi Electric security advisory.

Please contact Mitsubishi Electric customer support for more information on how to update specific hardware.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.

5. UPDATE HISTORY

• June 14, 2022: Initial Publication
• August 16, 2022: Update A - Additional affected products added (R12CCPU-V, Q12DCCPU-V, Q24DHCCPU-V (G), Q24/26DHCCPU-LS, MI5122-VW); additional mitigations added (R12CCPU-V, Q03UDECPU, Q04/06/10/13/20/26/50/100UDEHCPU, MI5122-VW)
• July 27, 2023: Update B - Additional mitigations added (Q12DCCPU-V, Q24DHCCPU-V (G), Q24/26DHCCPU-LS).
• May 30, 2024: Update C - Product specific update information added to Mitigations section.