[Japanese]

JVNDB-2020-002958

Denial-of-service (DoS) vulnerability in Mitsubishi Electric MELSOFT transmission port

Overview

MELSOFT transmission port (UDP/IP) of MELSEC iQ-R, iQ-F, Q, L, and F series provided by Mitsubishi Electric Coporation contains an uncontrolled resource consumption issue (CWE-400). When MELSOFT transmission port receives massive amount of data, resource consumption occurs and the port does not process the data properly. As a result, it may fall into a denial-of-service (DoS) condition.

Mitsubishi Electric Corporation reported these vulnerabilities to JPCERT/CC to notify users of the solution through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Partial
Affected Products


Mitsubishi Electric
  • MELSEC F series (all versions)
  • MELSEC iQ-F series (all versions)
  • MELSEC iQ-R series (all versions)
  • MELSEC L series (all versions)
  • MELSEC Q series (all versions)

Impact

When MELSOFT transmission port does not process data properly, a client becomes unable to communicate with MELSOFT transmission port. Also, the other devices which communicate using the other communication port may become unable to connect to MELSOFT transmission port.

According to the developer, this vulnerability only affects Ethernet communication functions.
Solution

[Apply Workarounds]
The developer states that this vulnerability does not affect sequential controls, and when a denial-of-service (DoS) condition is ended, the communication functions become to behave properly. Therefore there is no plan to provide any updates or patches to address to this issue.

However, according to the developer, applying the workaround listed below may mitigate the impacts of this vulnerability.

* Set up Firewall and restrict access from the devices via network
* Use IP address filter function and restrict IP addresses which can be connected to

For the details of the mitigations, refer to the information provided by the developer.
Vendor Information

Mitsubishi Electric
CWE (What is CWE?)

  1. Uncontrolled Resource Consumption ('Resource Exhaustion')(CWE-400) [NVD Evaluation]
CVE (What is CVE?)

  1. CVE-2020-5527
References

  1. JVN : JVNVU#91553662
  2. National Vulnerability Database (NVD) : CVE-2020-5527
  3. ICS-CERT ADVISORY : ICSA-20-091-02
Revision History

  • [2020/03/31]
      Web page was published
  • [2020/04/01]
      References : Content was added

Date Public2020/03/30
Date First Published2020/03/31
Date Last Updated2020/04/01