Mitsubishi Electric MELSEC iQ-R Series (Update D)

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 8.6
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Mitsubishi Electric
• Equipment: MELSEC iQ-R Series
• Vulnerability: Uncontrolled Resource Consumption

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause a Denial-of-Service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Mitsubishi Electric MELSEC iQ-R Series, a Programmable Controller, are affected:

• iQ-R series R00CPU: Versions "20" and prior
• iQ-R series R01CPU: Versions "20" and prior
• iQ-R series R02CPU; Versions "20" and prior
• iQ-R series R04CPU: Versions "52" and prior
• iQ-R series R08CPU: Versions "52" and prior
• iQ-R series R16CPU: Versions "52" and prior
• iQ-R series R32CPU: Versions "52" and prior
• iQ-R series R120CPU: Versions "52" and prior
• iQ-R series R04ENCPU: Versions "52" and prior
• iQ-R series R08ENCPU: Versions "52" and prior
• iQ-R series R16ENCPU: Versions "52" and prior
• iQ-R series R32ENCPU: Versions "52" and prior
• iQ-R series R120ENCPU: Versions "52" and prior
• iQ-R series R08FCPU: Versions "22" and prior
• iQ-R series R16FCPU: Versions "22" and prior
• iQ-R series R32FCPU: Versions "22" and prior
• iQ-R series R120FCPU: Versions "22" and prior
• iQ-R series R08PCPU: Versions "25" and prior
• iQ-R series R16PCPU: Versions "25" and prior
• iQ-R series R32PCPU: Versions "25" and prior
• iQ-R series R120PCPU: Versions "25" and prior
• iQ-R series R16MTCPU Operating system software: Versions "21" and prior
• iQ-R series R32MTCPU Operating system software: Versions "21" and prior
• iQ-R series R64MTCPU Operating system software: Versions "21" and prior

3.2 Vulnerability Overview

3.2.1 Uncontrolled Resource Consumption CWE-400

When the CPU module receives a specially crafted packet from a malicious attacker, an error may occur on the CPU module and then the program execution and communication may enter a DoS condition, and a reset is required to recover it.

CVE-2020-16850 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Yossi Reuven of SCADAfence Ltd reported this vulnerability to Mitsubishi Electric.

4. MITIGATIONS

Mitsubishi Electric recommends that users update to the following:

• iQ-R series R00CPU: Versions "21" or later
• iQ-R series R01CPU: Versions "21" or later
• iQ-R series R02CPU; Versions "21" or later
• iQ-R series R04CPU: Versions "53" or later
• iQ-R series R08CPU: Versions "53" or later
• iQ-R series R16CPU: Versions "53" or later
• iQ-R series R32CPU: Versions "53" or later
• iQ-R series R120CPU: Versions "53" or later
• iQ-R series R04ENCPU: Versions "53" or later
• iQ-R series R08ENCPU: Versions "53" or later
• iQ-R series R16ENCPU: Versions "53" or later
• iQ-R series R32ENCPU: Versions "53" or later
• iQ-R series R120ENCPU: Versions "53" or later
• iQ-R series R08FCPU: Versions "23" or later
• iQ-R series R16FCPU: Versions "23" or later
• iQ-R series R32FCPU: Versions "23" or later
• iQ-R series R120FCPU: Versions "23" or later
• iQ-R series R08PCPU: Versions "26" or later
• iQ-R series R16PCPU: Versions "26" or later
• iQ-R series R32PCPU: Versions "26" or later
• iQ-R series R120PCPU: Versions "26" or later
• iQ-R series R16MTCPU Operating system software: Versions "22" or later
• iQ-R series R32MTCPU Operating system software: Versions "22" or later
• iQ-R series R64MTCPU Operating system software: Versions "22" or later

See the Mitsubishi Electric Advisory for the availability of updates for each product.

Mitsubishi Electric recommends users take the following mitigation measures to minimize the risk of exploiting this vulnerability:

• Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
• Use within a LAN and block access from untrusted networks and hosts though firewalls.

For specific update instructions and additional details see the Mitsubishi Electric advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• November 19, 2020: Initial Publication
• May 18, 2021: Update A - Added changes made to Mitigations.
• September 14, 2021: Update B - Added changes made to Mitigations.
• December 16, 2021: Update C - Added changes to Affected Products and Mitigations.
• August 22, 2024: Update D - Added changes to CVSS string, Affected Products, and Mitigations.

• Mitsubishi Electric