Predictable Seed in Pseudo-Random Number Generator in Mitsubishi Electric MELSEC iQ-F, iQ-R Series



Published: 2023-01-18 | Updated: 2023-04-11
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2022-40267
CWE-ID CWE-337
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
Subscribe
MELSEC iQ-F FX5U
Hardware solutions / Routers & switches, VoIP, GSM, etc

MELSEC iQ-F FX5UC
Hardware solutions / Routers & switches, VoIP, GSM, etc

MELSEC iQ-F FX5UC-32MT/DS-TS
Hardware solutions / Routers & switches, VoIP, GSM, etc

MELSEC iQ-F FX5UC-32MT/DSS-TS
Hardware solutions / Routers & switches, VoIP, GSM, etc

MELSEC iQ-F FX5UC-32MR/DS-TS
Hardware solutions / Routers & switches, VoIP, GSM, etc

MELSEC iQ-R 00 CPU
Hardware solutions / Firmware

MELSEC iQ-R 01 CPU
Hardware solutions / Firmware

MELSEC iQ-R 02 CPU
Hardware solutions / Firmware

MELSEC iQ-R 04 (EN) CPU
Hardware solutions / Firmware

MELSEC iQ-R 08 (EN) CPU
Hardware solutions / Firmware

MELSEC iQ-R 16 (EN) CPU
Hardware solutions / Firmware

MELSEC iQ-R 32 (EN) CPU
Hardware solutions / Firmware

MELSEC iQ-R 120 (EN) CPU
Hardware solutions / Firmware

Vendor Mitsubishi Electric

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Predictable Seed in Pseudo-Random Number Generator (PRNG)

EUVDB-ID: #VU71302

Risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2022-40267

CWE-ID: CWE-337 - Predictable Seed in Pseudo-Random Number Generator (PRNG)

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to compromise the system.

The vulnerability exists due to predictable seed in the pseudo-random number generator within the WEB server function. A remote attacker can bypass authorization on the target system.

This vulnerability affects the following products:

  • MELSEC iQ-F Series with serial number 17X**** or later:  
    • FX5U-xMy/z x=32,64,80, y=T,R, z=ES,DS,ESS,DSS: Versions 1.280 and prior 
    • FX5UC-xMy/z x=32,64,96 y=T, z=D,DSS: Versions 1.280 and prior 
  • MELSEC iQ-F Series with serial number 179**** and prior:  
    • FX5U-xMy/z x=32,64,80, y=T,R, z=ES,DS,ESS,DSS: Versions 1.074 and prior 
    • FX5UC-xMy/z x=32,64,96 y=T, z=D,DSS: Versions 1.074 and prior 
  • MELSEC iQ-F Series FX5UC-32MT/DS-TS, FX5UC-32MT/DSS-TS, FX5UC-32MR/DS-TS: Versions 1.280 and prior 
  • MELSEC iQ-R Series R00/01/02CPU: All versions 
  • MELSEC iQ-R Series R04/08/16/32/ 120(EN)CPU: All versions 

Mitigation

Install updates from vendor's website.

Vulnerable software versions

MELSEC iQ-F FX5U: 1.074 - 1.280

MELSEC iQ-F FX5UC: 1.074 - 1.280

MELSEC iQ-F FX5UC-32MT/DS-TS: 1.280

MELSEC iQ-F FX5UC-32MT/DSS-TS: 1.280

MELSEC iQ-F FX5UC-32MR/DS-TS: 1.280

MELSEC iQ-R 00 CPU: All versions

MELSEC iQ-R 01 CPU: All versions

MELSEC iQ-R 02 CPU: All versions

MELSEC iQ-R 04 (EN) CPU: All versions

MELSEC iQ-R 08 (EN) CPU: All versions

MELSEC iQ-R 16 (EN) CPU: All versions

MELSEC iQ-R 32 (EN) CPU: All versions

MELSEC iQ-R 120 (EN) CPU: All versions

External links

http://ics-cert.us-cert.gov/advisories/icsa-23-017-02


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.



###SIDEBAR###