Successful exploitation of this vulnerability could allow a remote attacker to cause a denial-of-service condition or execute malicious programs on a target product by sending specially crafted packets.
Mitsubishi Electric reports this vulnerability affects the following MELSEC Series CPU module components. The following manuals show how to check the firmware version: “17.3 Troubleshooting Using the Engineering Tool”-“Module diagnostics” in the MELSEC iQ-F FX5S/FX5UJ/FX5U/FX5UC User’s Manual (Hardware) and “Appendix 1: Checking Production Information and Firmware Version” in the MELSEC iQ-R Module Configuration Manual:
A vulnerability due to copying buffers without checking size of input exists in these MELSEC Series CPU modules. Exploitation may allow denial of service and malicious code execution.
CVE-2023-1424 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-1424. A base score of 10.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
Matt Wiseman of Cisco Talos reported this vulnerability to Mitsubishi Electric.
Mitsubishi Electric created the following firmware versions to address this issue and encourages users to update:
In case of using the affected MELSEC iQ-R Series R08/16/32/120SFCPU, take mitigations and workarounds measures because updating the product to the fixed version is not available.
Users should refer to the following manuals when updating:
Mitsubishi Electric recommends that customers take the following mitigation measures to minimize the risk of exploiting this vulnerability:
For specific update instructions and additional details see the Mitsubishi Electric advisory.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1424
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1424
cisa.gov/ics
cisa.gov/ics
cwe.mitre.org/data/definitions/120.html
github.com/cisagov/CSAF
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Mitsubishi%20Electric%20MELSEC%20Series%20CPU%20Module%20%28Update%20D%29+https://www.cisa.gov/news-events/ics-advisories/icsa-23-143-03
us-cert.cisa.gov/ics/Recommended-Practices
us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-23-143-03&title=Mitsubishi%20Electric%20MELSEC%20Series%20CPU%20Module%20%28Update%20D%29
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-23-143-03
www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-003_en.pdf
www.mitsubishielectric.com/fa/download/index.html
www.mitsubishielectric.com/fa/download/index.html
www.mitsubishielectric.com/fa/download/index.html
www.mitsubishielectric.com/fa/download/index.html
www.mitsubishielectric.com/fa/download/index.html
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-23-143-03
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Mitsubishi%20Electric%20MELSEC%20Series%20CPU%20Module%20%28Update%20D%29&body=www.cisa.gov/news-events/ics-advisories/icsa-23-143-03