Mitsubishi Electric MELSEC iQ-R, iQ-L Series and MELIPC Series (Update C)

1. EXECUTIVE SUMMARY

• CVSS v3 7.5 *ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Mitsubishi Electric
• Equipment: MELSEC iQ-R, iQ-L Series and MELIPC Series
• Vulnerability: Improper Resource Shutdown or Release

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a remote attacker to cause a denial-of-service condition in the module’s ethernet communication.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Mitsubishi Electric reports this vulnerability affects the following MELSEC iQ-R, iQ-L series CPU module, and MELIPC series:

• MELSEC iQ-R Series R00CPU: firmware versions 32 and prior
• MELSEC iQ-R Series R01CPU: firmware versions 32 and prior
• MELSEC iQ-R Series R02CPU: firmware versions 32 and prior
• MELSEC iQ-R Series R04(EN)CPU: firmware versions 65 and prior
• MELSEC iQ-R Series R08(EN)CPU: firmware versions 65 and prior
• MELSEC iQ-R Series R16(EN)CPU: firmware versions 65 and prior
• MELSEC iQ-R Series R32(EN)CPU: firmware versions 65 and prior
• MELSEC iQ-R Series R120(EN)CPU: firmware versions 65 and prior
• MELSEC iQ-R Series R08SFCPU: firmware versions 29 and prior
• MELSEC iQ-R Series R16SFCPU: firmware versions 29 and prior
• MELSEC iQ-R Series R32SFCPU: firmware versions 29 and prior
• MELSEC iQ-R Series R120SFCPU: firmware versions 29 and prior
• MELSEC iQ-R Series R12CCPU-V: firmware versions 17 and prior
• MELSEC iQ-L Series L04HCPU: All versions
• MELSEC iQ-L Series L08HCPU: All versions
• MELSEC iQ-L Series L16HCPU: All versions
• MELSEC iQ-L Series L32HCPU: All versions
• MELIPC Series MI5122-VW: firmware versions 07 and prior

3.2 Vulnerability Overview

3.2.1IMPROPER RESOURCE SHUTDOWN OR RELEASE CWE-404

A denial-of-service vulnerability due to improper resource shutdown or release exists in Mitsubishi Electric MELSEC iQ-R, iQ-L series CPU module, and MELIPC series. This vulnerability could allow a remote attacker to cause a denial-of-service condition in the module’s ethernet communication by sending specially crafted packets.

CVE-2022-33324 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Mitsubishi Electric reported this vulnerability to CISA.

4. MITIGATIONS

Mitsubishi Electric fixed the following products:

• MELSEC iQ-R Series R00CPU: firmware versions 33 or later
• MELSEC iQ-R Series R01CPU: firmware versions 33 or later
• MELSEC iQ-R Series R02CPU: firmware versions 33 or later
• MELSEC iQ-R Series R04(EN)CPU: firmware versions 66 or later
• MELSEC iQ-R Series R08(EN)CPU: firmware versions 66 or later
• MELSEC iQ-R Series R16(EN)CPU: firmware versions 66 or later
• MELSEC iQ-R Series R32(EN)CPU: firmware versions 66 or later
• MELSEC iQ-R Series R120(EN)CPU: firmware versions 66 or later
• MELSEC iQ-R Series R08SFCPU: firmware versions 30 or later
• MELSEC iQ-R Series R16SFCPU: firmware versions 30 or later
• MELSEC iQ-R Series R32SFCPU: firmware versions 30 or later
• MELSEC iQ-R Series R120SFCPU: firmware versions 30 or later
• MELSEC iQ-R Series R12CCPU-V: firmware versions 18 or later
• MELIPC Series MI5122-VW: firmware versions 08 or later

Mitsubishi Electric offers the following countermeasures for users:

• MELSEC iQ-R Series firmware versions 08 and prior: It is not possible to update to the firmware versions listed above. Follow the mitigation measures below.
• MELSEC iQ-R Series firmware versions 09 or later: Download a fixed firmware update file to update the firmware. Please refer to MELSEC iQ-R Module Configuration Manual “Appendix 2 Firmware Update Function” to learn how to update firmware.
• MELIPC Series: It is not possible to update to the firmware versions listed above. Follow the mitigation measures below.

Mitsubishi Electric recommends users take mitigation measures to minimize the risk of exploiting this vulnerability:

• Use a firewall, virtual private network (VPN), or other means to prevent unauthorized access when internet access is required.
• Use the product inside a local area network (LAN) and use firewalls to block access from untrusted networks and hosts.
• Use an IP filter function to block access from untrusted hosts. For details on the remote password function and IP filter function, users can refer to the following manual for each product:
  • MELSEC iQ-R Ethernet User’s Manual (Application) 1.13 Security “IP filter.”
  • MELSEC iQ-L CPU module User’s Manual (Application) 24.1 “IP filter Function.”
  • MELSEC iQ-R C Controller Module User’s Manual (Application) 6.6 Security Function “IP filter.”
  • MELIPC MI5000 Series User’s Manual (Application) “11.3 IP Filter Function.”

For specific update instructions and additional details, see Mitsubishi Electric advisory 2022-018.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• December 22, 2022: Initial Publication
• July 13, 2023: Update A - Added new mitigation information for MELSEC iQ-R Series R08/16/32/120SFCPU firmware
• December 12, 2023: Update B - Added new mitigation information for MELSEC iQ-R Series R12CCPU-V firmware
• May 30, 2024: Update C - Added new mitigation information for MELIPC Series