[Japanese]

JVNDB-2020-005854

Mitsubishi Electric MELSEC iQ-R, iQ-F, Q, L, and FX series vulnerable to cleartext transmission of sensitive information

Overview

Mitsubishi Electric MELSEC iQ-R, iQ-F, Q, L, and FX series contain a vulnerability that allows cleartext transmission of sensitive information (CWE-319) between CPU modules and GX Works3 and/or GX Works2.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 10.0 (Critical) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
Affected Products


Mitsubishi Electric
  • MELSEC FX series CPU modules all versions
  • MELSEC iQ-F series CPU modules all versions
  • MELSEC iQ-R series CPU modules all versions
  • MELSEC L series CPU modules all versions
  • MELSEC Q series CPU modules all versions

Impact

If this vulnerability is exploited, disclosure or alteration of information, unauthorized operations, and denial of service (DoS) attacks may be conducted by a remote attacker.
Solution

[Apply Workaround]
According to the developer, an update to resolve this vulnerability is not provided.

However, developer recommends the users to apply the following workaround so that it may mitigate the impacts of this vulnerability.

* When performing communication via untrusted networks or hosts, encrypt the communication path by setting up a VPN

For more information, refer to the information provided by the developer.
Vendor Information

Mitsubishi Electric
CWE (What is CWE?)

  1. Cleartext Transmission of Sensitive Information(CWE-319) [Other]
CVE (What is CVE?)

  1. CVE-2020-5594
References

  1. JVN : JVNVU#91424496
  2. National Vulnerability Database (NVD) : CVE-2020-5594
  3. ICS-CERT ADVISORY : ICSA-20-175-01
Revision History

  • [2020/06/24]
      Web page was published

Date Public2020/06/23
Date First Published2020/06/24
Date Last Updated2020/06/24