Multiple vulnerabilities in Mitsubishi Electric MELSEC and MELIPC Series
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2021-20609 CVE-2021-20610 CVE-2021-20611 |
| CWE-ID | CWE-400 CWE-130 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
MELSEC iQ-R 00 CPU Hardware solutions / Firmware MELSEC iQ-R 01 CPU Hardware solutions / Firmware MELSEC iQ-R 02 CPU Hardware solutions / Firmware MELSEC iQ-Q 172 DCPU-S1 Hardware solutions / Firmware MELSEC iQ-R 120 PCPU Hardware solutions / Firmware MELSEC iQ-R 32 PCPU Hardware solutions / Firmware MELSEC iQ-R 16 PCPU Hardware solutions / Firmware MELSEC iQ-R 08 PCPU Hardware solutions / Firmware MELSEC iQ-Q 100 UDEHCPU Hardware solutions / Firmware MELSEC iQ-Q 50 UDEHCPU Hardware solutions / Firmware MELSEC iQ-Q 26 UDEHCPU Hardware solutions / Firmware MELSEC iQ-Q 20 UDEHCPU Hardware solutions / Firmware MELSEC iQ-Q 13 UDEHCPU Hardware solutions / Firmware MELSEC iQ-Q 10 UDEHCPU Hardware solutions / Firmware MELSEC iQ-Q 06 UDEHCPU Hardware solutions / Firmware MELSEC iQ-Q 04 UDEHCPU Hardware solutions / Firmware MELSEC iQ-R 04 (EN) CPU Hardware solutions / Firmware MELSEC iQ-R 08 (EN) CPU Hardware solutions / Firmware MELSEC iQ-R 16 (EN) CPU Hardware solutions / Firmware MELSEC iQ-R 32 (EN) CPU Hardware solutions / Firmware MELSEC iQ-R 120 (EN) CPU Hardware solutions / Firmware MELSEC iQ-R 120 SFCPU Hardware solutions / Firmware MELSEC iQ-R 32 SFCPU Hardware solutions / Firmware MELSEC iQ-R 16 SFCPU Hardware solutions / Firmware MELSEC iQ-R 08 SFCPU Hardware solutions / Firmware MELSEC iQ-R 120 PSFCPU Hardware solutions / Firmware MELSEC iQ-R 32 PSFCPU Hardware solutions / Firmware MELSEC iQ-R 16 PSFCPU Hardware solutions / Firmware MELSEC iQ-R 08 PSFCPU Hardware solutions / Firmware MELSEC iQ-R 64 MTCPU Hardware solutions / Firmware MELSEC iQ-R 32 MTCPU Hardware solutions / Firmware MELSEC iQ-R 16 MTCPU Hardware solutions / Firmware MELSEC iQ-Q 26 UDVCPU Hardware solutions / Firmware MELSEC iQ-Q 13 UDVCPU Hardware solutions / Firmware MELSEC iQ-Q 06 UDVCPU Hardware solutions / Firmware MELSEC iQ-Q 04 UDVCPU Hardware solutions / Firmware MELSEC iQ-Q 03 UDVCPU Hardware solutions / Firmware MELSEC iQ-Q 26 UDPVCPU Hardware solutions / Firmware MELSEC iQ-Q 13 UDPVCPU Hardware solutions / Firmware MELSEC iQ-Q 06 UDPVCPU Hardware solutions / Firmware MELSEC iQ-Q 04 UDPVCPU Hardware solutions / Firmware MELSEC Q Series Q12DCCPU-V Hardware solutions / Firmware MELSEC Q Series Q24DHCCPU-V(G) Hardware solutions / Firmware MELSEC Q Series Q24/26DHCCPU-LS Hardware solutions / Firmware MELSEC iQ-Q MR-MQ100 Hardware solutions / Firmware MELSEC Q Series Q172 DCPU-S1 Hardware solutions / Firmware MELSEC Q Series Q173DCPU-S1 Hardware solutions / Firmware MELSEC iQ-Q 173 DSCPU Hardware solutions / Firmware MELSEC iQ-Q 172 DSCPU Hardware solutions / Firmware MELSEC Q Series Q170MCPU Hardware solutions / Firmware MELSEC Q Series Q170MSCPU(-S1) Hardware solutions / Firmware MELSEC L Series L26CPU-(P)BT Hardware solutions / Firmware MELSEC L Series L26CPU(-P) Hardware solutions / Firmware MELSEC L Series L06(-P) Hardware solutions / Firmware MELSEC L Series L02(-P) Hardware solutions / Firmware MELIPC Series MI5122-VW Hardware solutions / Firmware MELSEC-Q Q03UDECPU Hardware solutions / Routers & switches, VoIP, GSM, etc MELSEC iQ-R Series C R12CCPU-V Hardware solutions / Routers & switches, VoIP, GSM, etc |
| Vendor |
Mitsubishi Electric |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Resource exhaustion
EUVDB-ID: #VU58464
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-20609
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMELSEC iQ-R 00 CPU: 24
MELSEC iQ-R 01 CPU: 24
MELSEC iQ-R 02 CPU: 24
MELSEC iQ-Q 172 DCPU-S1: All versions
MELSEC iQ-R 120 PCPU: 29
MELSEC iQ-R 32 PCPU: 29
MELSEC iQ-R 16 PCPU: 29
MELSEC iQ-R 08 PCPU: 29
MELSEC iQ-Q 100 UDEHCPU: All versions
MELSEC iQ-Q 50 UDEHCPU: All versions
MELSEC iQ-Q 26 UDEHCPU: All versions
MELSEC iQ-Q 20 UDEHCPU: All versions
MELSEC iQ-Q 13 UDEHCPU: All versions
MELSEC iQ-Q 10 UDEHCPU: All versions
MELSEC iQ-Q 06 UDEHCPU: All versions
MELSEC iQ-Q 04 UDEHCPU: All versions
MELSEC-Q Q03UDECPU: All versions
MELSEC iQ-R 04 (EN) CPU: 57
MELSEC iQ-R 08 (EN) CPU: 57
MELSEC iQ-R 16 (EN) CPU: 57
MELSEC iQ-R 32 (EN) CPU: 57
MELSEC iQ-R 120 (EN) CPU: 57
MELSEC iQ-R 120 SFCPU: All versions
MELSEC iQ-R 32 SFCPU: All versions
MELSEC iQ-R 16 SFCPU: All versions
MELSEC iQ-R 08 SFCPU: All versions
MELSEC iQ-R 120 PSFCPU: All versions
MELSEC iQ-R 32 PSFCPU: All versions
MELSEC iQ-R 16 PSFCPU: All versions
MELSEC iQ-R 08 PSFCPU: All versions
MELSEC iQ-R 64 MTCPU: All versions
MELSEC iQ-R 32 MTCPU: All versions
MELSEC iQ-R 16 MTCPU: All versions
: All versions
MELSEC iQ-Q 26 UDVCPU: 23071
MELSEC iQ-Q 13 UDVCPU: 23071
MELSEC iQ-Q 06 UDVCPU: 23071
MELSEC iQ-Q 04 UDVCPU: 23071
MELSEC iQ-Q 03 UDVCPU: 23071
MELSEC iQ-Q 26 UDPVCPU: 23071
MELSEC iQ-Q 13 UDPVCPU: 23071
MELSEC iQ-Q 06 UDPVCPU: 23071
MELSEC iQ-Q 04 UDPVCPU: 23071
MELSEC Q Series Q12DCCPU-V: All versions
MELSEC Q Series Q24DHCCPU-V(G): All versions
MELSEC Q Series Q24/26DHCCPU-LS: All versions
MELSEC iQ-Q MR-MQ100: All versions
MELSEC Q Series Q172 DCPU-S1: All versions
MELSEC Q Series Q173DCPU-S1: All versions
MELSEC iQ-Q 173 DSCPU: All versions
MELSEC iQ-Q 172 DSCPU: All versions
MELSEC Q Series Q170MCPU: All versions
MELSEC Q Series Q170MSCPU(-S1): All versions
MELSEC L Series L26CPU-(P)BT: All versions
MELSEC L Series L26CPU(-P): All versions
MELSEC L Series L06(-P): All versions
MELSEC L Series L02(-P): All versions
MELIPC Series MI5122-VW: All versions
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-21-334-02
http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-019_en.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper Handling of Length Parameter Inconsistency
EUVDB-ID: #VU58465
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-20610
CWE-ID:
CWE-130 - Improper Handling of Length Parameter Inconsistency
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the affected product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data. A remote attacker can perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMELSEC iQ-R 00 CPU: 24
MELSEC iQ-R 01 CPU: 24
MELSEC iQ-R 02 CPU: 24
MELSEC iQ-Q 172 DCPU-S1: All versions
MELSEC iQ-R 120 PCPU: 29
MELSEC iQ-R 32 PCPU: 29
MELSEC iQ-R 16 PCPU: 29
MELSEC iQ-R 08 PCPU: 29
MELSEC iQ-Q 100 UDEHCPU: All versions
MELSEC iQ-Q 50 UDEHCPU: All versions
MELSEC iQ-Q 26 UDEHCPU: All versions
MELSEC iQ-Q 20 UDEHCPU: All versions
MELSEC iQ-Q 13 UDEHCPU: All versions
MELSEC iQ-Q 10 UDEHCPU: All versions
MELSEC iQ-Q 06 UDEHCPU: All versions
MELSEC iQ-Q 04 UDEHCPU: All versions
MELSEC-Q Q03UDECPU: All versions
MELSEC iQ-R 04 (EN) CPU: 57
MELSEC iQ-R 08 (EN) CPU: 57
MELSEC iQ-R 16 (EN) CPU: 57
MELSEC iQ-R 32 (EN) CPU: 57
MELSEC iQ-R 120 (EN) CPU: 57
MELSEC iQ-R 120 SFCPU: All versions
MELSEC iQ-R 32 SFCPU: All versions
MELSEC iQ-R 16 SFCPU: All versions
MELSEC iQ-R 08 SFCPU: All versions
MELSEC iQ-R 120 PSFCPU: All versions
MELSEC iQ-R 32 PSFCPU: All versions
MELSEC iQ-R 16 PSFCPU: All versions
MELSEC iQ-R 08 PSFCPU: All versions
MELSEC iQ-R 64 MTCPU: All versions
MELSEC iQ-R 32 MTCPU: All versions
MELSEC iQ-R 16 MTCPU: All versions
MELSEC iQ-R Series C R12CCPU-V: All versions
MELSEC iQ-Q 26 UDVCPU: 23071
MELSEC iQ-Q 13 UDVCPU: 23071
MELSEC iQ-Q 06 UDVCPU: 23071
MELSEC iQ-Q 04 UDVCPU: 23071
MELSEC iQ-Q 03 UDVCPU: 23071
MELSEC iQ-Q 26 UDPVCPU: 23071
MELSEC iQ-Q 13 UDPVCPU: 23071
MELSEC iQ-Q 06 UDPVCPU: 23071
MELSEC iQ-Q 04 UDPVCPU: 23071
MELSEC Q Series Q12DCCPU-V: All versions
MELSEC Q Series Q24DHCCPU-V(G): All versions
MELSEC Q Series Q24/26DHCCPU-LS: All versions
MELSEC iQ-Q MR-MQ100: All versions
MELSEC Q Series Q172 DCPU-S1: All versions
MELSEC Q Series Q173DCPU-S1: All versions
MELSEC iQ-Q 173 DSCPU: All versions
MELSEC iQ-Q 172 DSCPU: All versions
MELSEC Q Series Q170MCPU: All versions
MELSEC Q Series Q170MSCPU(-S1): All versions
MELSEC L Series L26CPU-(P)BT: All versions
MELSEC L Series L26CPU(-P): All versions
MELSEC L Series L06(-P): All versions
MELSEC L Series L02(-P): All versions
MELIPC Series MI5122-VW: All versions
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-21-334-02
http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-019_en.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU58466
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-20611
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMELSEC iQ-R 00 CPU: 24
MELSEC iQ-R 01 CPU: 24
MELSEC iQ-R 02 CPU: 24
MELSEC iQ-Q 172 DCPU-S1: All versions
MELSEC iQ-R 120 PCPU: 29
MELSEC iQ-R 32 PCPU: 29
MELSEC iQ-R 16 PCPU: 29
MELSEC iQ-R 08 PCPU: 29
MELSEC iQ-Q 100 UDEHCPU: All versions
MELSEC iQ-Q 50 UDEHCPU: All versions
MELSEC iQ-Q 26 UDEHCPU: All versions
MELSEC iQ-Q 20 UDEHCPU: All versions
MELSEC iQ-Q 13 UDEHCPU: All versions
MELSEC iQ-Q 10 UDEHCPU: All versions
MELSEC iQ-Q 06 UDEHCPU: All versions
MELSEC iQ-Q 04 UDEHCPU: All versions
MELSEC-Q Q03UDECPU: All versions
MELSEC iQ-R 04 (EN) CPU: 57
MELSEC iQ-R 08 (EN) CPU: 57
MELSEC iQ-R 16 (EN) CPU: 57
MELSEC iQ-R 32 (EN) CPU: 57
MELSEC iQ-R 120 (EN) CPU: 57
MELSEC iQ-R 120 SFCPU: All versions
MELSEC iQ-R 32 SFCPU: All versions
MELSEC iQ-R 16 SFCPU: All versions
MELSEC iQ-R 08 SFCPU: All versions
MELSEC iQ-R 120 PSFCPU: All versions
MELSEC iQ-R 32 PSFCPU: All versions
MELSEC iQ-R 16 PSFCPU: All versions
MELSEC iQ-R 08 PSFCPU: All versions
MELSEC iQ-R 64 MTCPU: All versions
MELSEC iQ-R 32 MTCPU: All versions
MELSEC iQ-R 16 MTCPU: All versions
MELSEC iQ-R Series C R12CCPU-V: All versions
MELSEC iQ-Q 26 UDVCPU: 23071
MELSEC iQ-Q 13 UDVCPU: 23071
MELSEC iQ-Q 06 UDVCPU: 23071
MELSEC iQ-Q 04 UDVCPU: 23071
MELSEC iQ-Q 03 UDVCPU: 23071
MELSEC iQ-Q 26 UDPVCPU: 23071
MELSEC iQ-Q 13 UDPVCPU: 23071
MELSEC iQ-Q 06 UDPVCPU: 23071
MELSEC iQ-Q 04 UDPVCPU: 23071
MELSEC Q Series Q12DCCPU-V: All versions
MELSEC Q Series Q24DHCCPU-V(G): All versions
MELSEC Q Series Q24/26DHCCPU-LS: All versions
MELSEC iQ-Q MR-MQ100: All versions
MELSEC Q Series Q172 DCPU-S1: All versions
MELSEC Q Series Q173DCPU-S1: All versions
MELSEC iQ-Q 173 DSCPU: All versions
MELSEC iQ-Q 172 DSCPU: All versions
MELSEC Q Series Q170MCPU: All versions
MELSEC Q Series Q170MSCPU(-S1): All versions
MELSEC L Series L26CPU-(P)BT: All versions
MELSEC L Series L26CPU(-P): All versions
MELSEC L Series L06(-P): All versions
MELSEC L Series L02(-P): All versions
MELIPC Series MI5122-VW: All versions
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-21-334-02
http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-019_en.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
