JVN#44764844: MELSEC iQ-R Series CPU Modules vulnerable to uncontrolled resource consumption

MELSEC iQ-R series CPU modules provided by Mitsubishi Electric Corporation contain an uncontrolled resource consumption vulnerability (CWE-400).

According to the developer, in case of “To Use or Not to Use Web Server Settings” in the parameter of CPU modules are set to “Not Use”, this issue does not occur. (The default setting is “Not Use”.)

Impact

When the CPU module receives a specially crafted HTTP packet from a remote attacker, a denial-of-service (DoS) condition may be caused on the product’s program execution and communication.
Note that a reset is required for recovery.

Solution

Update the software
Apply the appropriate update according to the information provided by the developer.
According to the developer, this vulnerability is fixed in following firmware versions.

• R00/01/02CPU firmware versions “20” and later

• R04/08/16/32/120(EN)CPU firmware versions “52” and later
  Apply the workarounds
  Applying the following workarounds may mitigate the impacts of this vulnerability.

• If Web Server function is not in use, set “Not Use” for “To Use or Not to Use Web Server Settings”

• Use a firewall, virtual private network (VPN), etc. to prevent unauthorized access when accessing the Internet

• Use the product within a trusted LAN and block access from untrusted networks and hosts by using firewalls

Products Affected

The following MELSEC iQ-R series CPU modules are affected.

• R00/01/02CPU Firmware versions from “05” to “19”
• R04/08/16/32/120(EN)CPU Firmware versions from “35” to “51”