Insufficient verification of data authenticity in Mitsubishi Electric MELSEC Series

Published: 2023-11-03

Risk	High
Patch available	NO
Number of vulnerabilities	1
CVE-ID	CVE-2023-4699
CWE-ID	CWE-345
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	MELSEC-F FX3U Hardware solutions / Firmware MELSEC-F FX3U-32MR/UA1 Hardware solutions / Firmware MELSEC-F FX3U-64MS/ES Hardware solutions / Firmware MELSEC-F FX3UC Hardware solutions / Firmware MELSEC-F FX3UC-16MR/D-T Hardware solutions / Firmware MELSEC-F FX3UC-16MR/DS-T Hardware solutions / Firmware MELSEC-F FX3UC-32MT-LT Hardware solutions / Firmware MELSEC-F FX3UC-32MT-LT-2 Hardware solutions / Firmware MELSEC-F FX3UC-16MT/D-P4 Hardware solutions / Firmware MELSEC-F FX3UC-16MT/DSS-P4 Hardware solutions / Firmware MELSEC-F FX3GC-32MT/D Hardware solutions / Firmware MELSEC-F FX3GC-32MT/DSS Hardware solutions / Firmware MELSEC-F FX3GE Hardware solutions / Firmware MELSEC-F FX3GA Hardware solutions / Firmware MELSEC-F FX3S Hardware solutions / Firmware MELSEC-F FX3S-30My/z-2AD Hardware solutions / Firmware MELSEC-F FX3SA-xMy-CM Hardware solutions / Firmware MELSEC-F FX3U-64MR/UA1 Hardware solutions / Firmware MELSEC-F FX3U-32MS/ES Hardware solutions / Firmware MELSEC-F FX3G Hardware solutions / Routers & switches, VoIP, GSM, etc MELSEC iQ-F FX5U Hardware solutions / Routers & switches, VoIP, GSM, etc MELSEC iQ-F FX5UC Hardware solutions / Routers & switches, VoIP, GSM, etc MELSEC iQ-F FX5UC-32MT/DS-TS Hardware solutions / Routers & switches, VoIP, GSM, etc MELSEC iQ-F FX5UC-32MT/DSS-TS Hardware solutions / Routers & switches, VoIP, GSM, etc MELSEC iQ-F FX5UC-32MR/DS-TS Hardware solutions / Routers & switches, VoIP, GSM, etc MELSEC iQ-F FX5UJ Hardware solutions / Routers & switches, VoIP, GSM, etc MELSEC iQ-F FX5S Hardware solutions / Routers & switches, VoIP, GSM, etc
Vendor	Mitsubishi Electric

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Insufficient verification of data authenticity

EUVDB-ID: #VU82713

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2023-4699

CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to insufficient verification of data authenticity. A remote attacker can reset the memory of the products to factory default state and perform a denial of service (DoS) attack.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

MELSEC-F FX3U: All versions

MELSEC-F FX3U-32MR/UA1: All versions

MELSEC-F FX3U-64MS/ES: All versions

MELSEC-F FX3UC: All versions

MELSEC-F FX3UC-16MR/D-T: All versions

MELSEC-F FX3UC-16MR/DS-T: All versions

MELSEC-F FX3UC-32MT-LT: All versions

MELSEC-F FX3UC-32MT-LT-2: All versions

MELSEC-F FX3UC-16MT/D-P4: All versions

MELSEC-F FX3UC-16MT/DSS-P4: All versions

MELSEC-F FX3G: All versions

MELSEC-F FX3GC-32MT/D: All versions

MELSEC-F FX3GC-32MT/DSS: All versions

MELSEC-F FX3GE: All versions

MELSEC-F FX3GA: All versions

MELSEC-F FX3S: All versions

MELSEC-F FX3S-30My/z-2AD: All versions

MELSEC-F FX3SA-xMy-CM: All versions

MELSEC iQ-F FX5U: All versions

MELSEC iQ-F FX5UC: All versions

MELSEC iQ-F FX5UC-32MT/DS-TS: All versions

MELSEC iQ-F FX5UC-32MT/DSS-TS: All versions

MELSEC iQ-F FX5UC-32MR/DS-TS: All versions

MELSEC iQ-F FX5UJ: All versions

MELSEC iQ-F FX5S: All versions

MELSEC-F FX3U-64MR/UA1: All versions

MELSEC-F FX3U-32MS/ES: All versions

External links

http://www.cisa.gov/news-events/ics-advisories/icsa-23-306-03
http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-013_en.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.