[Japanese]

JVNDB-2020-001591

Multiple vulnerabilities in TCP/IP function on Mitsubishi Electric MELSEC C Controller Module and MELIPC Series MI5000

Overview

MELSEC C Controller Module and MELIPC Series MI5000 provided by Mitsubishi Electric Corporation have multiple vulnerabilities due to the vulnerabilities called "URGENT/11" in TCP/IP function (IPnet) of VxWorks, a real-time OS distributed by Wind River.

* Q24DHCCPU-V and Q24DHCCPU-VG
* Buffer Error (CWE-119) - CVE-2019-12255
* Buffer Error (CWE-119) - CVE-2019-12257
* Session Fixation (CWE-384) - CVE-2019-12258
* NULL Pointer Dereference (CWE-476) - CVE-2019-12259
* Buffer Error (CWE-119) - CVE-2019-12261
* Improper Access Control (CWE-284) - CVE-2019-12262
* Buffer Error (CWE-119) - CVE-2019-12263
* Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88) - CVE-2019-12264
* Improper Management of System Resources (CWE-399) - CVE-2019-12265

* R12CCPU-V and RD55UP06-V
* Buffer Error (CWE-119) - CVE-2019-12256
* Session Fixation (CWE-384) - CVE-2019-12258
* NULL Pointer Dereference (CWE-476) - CVE-2019-12259
* Buffer Error (CWE-119) - CVE-2019-12261
* Improper Access Control (CWE-284) - CVE-2019-12262
* Buffer Error (CWE-119) - CVE-2019-12263
* Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88) - CVE-2019-12264
* Improper Management of System Resources (CWE-399) - CVE-2019-12265

* MI5122-VW
* Buffer Error (CWE-119) - CVE-2019-12256
* Session Fixation (CWE-384) - CVE-2019-12258
* NULL Pointer Dereference (CWE-476) - CVE-2019-12259
* Buffer Error (CWE-119) - CVE-2019-12260
* Buffer Error (CWE-119) - CVE-2019-12261
* Improper Access Control (CWE-284) - CVE-2019-12262
* Buffer Error (CWE-119) - CVE-2019-12263
* Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88) - CVE-2019-12264
* Improper Management of System Resources (CWE-399) - CVE-2019-12265

For the details, refer to the information provided by the developer.
CVSS Severity (What is CVSS?)

Affected Products


Mitsubishi Electric
  • MELIPC Series MI5000 MI5122-VW Ethernet port (CH1): First 2 digits of serial number are 03 or before, or the firmware version is 03 or before
  • MELSEC iQ-R Series C Intelligent Function Module R12CCPU-V Ethernet port (CH1, CH2): First 2 digits of serial number are 11 or before
  • MELSEC iQ-R Series C Intelligent Function Module RD55UP06-V Ethernet port: First 2 digits of serial number are 08 or before
  • MELSEC iQ-R Series C Controller Module R12CCPU-V Ethernet port (CH1, CH2): First 2 digits of serial number are 11 or before
  • MELSEC iQ-R Series C Controller Module RD55UP06-V Ethernet port: First 2 digits of serial number are 08 or before
  • MELSEC-Q Series C Controller Module Q24DHCCPU-V, Q24DHCCPU-VG User Ethernet port (CH1, CH2): First 5 digits of serial number are 21121 or before

For the details, refer to the information provided by the developer.
Impact

Receiving a TCP packet crafted by a remote attacker may cause a denial of service (DoS) condition or malware being executed.
Solution

[Update the Firmware]
Apply the appropriate firmware update according to the information provided by the developer.

[MELSEC-Q Series C Controller Module]

* Q24DHCCPU-V, Q24DHCCPU-VG: First 5 digits of serial number are "21122" or later

[MELSEC iQ-R Series C Controller Module / C Intelligent Function Module]

* R12CCPU-V: First 2 digits of serial number are "12" or later
* RD55UP06-V: First 2 digits of serial number are "09" or later

[MELIPC Series MI5000]

* MI5122-VW: First 2 digits of serial number are "04" or later, or the firmware version is "04" or later

[Apply the Workaround]
Applying the following workaround may mitigate the impacts of the vulnerabilities.

* Restrict access to the network

For the details, refer to the information provided by the developer.
Vendor Information

Mitsubishi Electric
CWE (What is CWE?)

CVE (What is CVE?)

  1. CVE-2020-5531
References

  1. JVN : JVNVU#95424547
  2. ICS-CERT ADVISORY : ICSA-19-274-01
  3. Related document : TCP/IP Network Stack (IPnet, Urgent/11)
Revision History

  • [2020/02/18]
      Web page was published