Insufficient verification of data authenticity in Mitsubishi Electric MELSEC Series
| Risk | High |
| Patch available | NO |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2023-4699 |
| CWE-ID | CWE-345 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
MELSEC-F FX3U Hardware solutions / Firmware MELSEC-F FX3U-32MR/UA1 Hardware solutions / Firmware MELSEC-F FX3U-64MS/ES Hardware solutions / Firmware MELSEC-F FX3UC Hardware solutions / Firmware MELSEC-F FX3UC-16MR/D-T Hardware solutions / Firmware MELSEC-F FX3UC-16MR/DS-T Hardware solutions / Firmware MELSEC-F FX3UC-32MT-LT Hardware solutions / Firmware MELSEC-F FX3UC-32MT-LT-2 Hardware solutions / Firmware MELSEC-F FX3UC-16MT/D-P4 Hardware solutions / Firmware MELSEC-F FX3UC-16MT/DSS-P4 Hardware solutions / Firmware MELSEC-F FX3GC-32MT/D Hardware solutions / Firmware MELSEC-F FX3GC-32MT/DSS Hardware solutions / Firmware MELSEC-F FX3GE Hardware solutions / Firmware MELSEC-F FX3GA Hardware solutions / Firmware MELSEC-F FX3S Hardware solutions / Firmware MELSEC-F FX3S-30My/z-2AD Hardware solutions / Firmware MELSEC-F FX3SA-xMy-CM Hardware solutions / Firmware MELSEC-F FX3U-64MR/UA1 Hardware solutions / Firmware MELSEC-F FX3U-32MS/ES Hardware solutions / Firmware MELSEC-F FX3G Hardware solutions / Routers & switches, VoIP, GSM, etc MELSEC iQ-F FX5U Hardware solutions / Routers & switches, VoIP, GSM, etc MELSEC iQ-F FX5UC Hardware solutions / Routers & switches, VoIP, GSM, etc MELSEC iQ-F FX5UC-32MT/DS-TS Hardware solutions / Routers & switches, VoIP, GSM, etc MELSEC iQ-F FX5UC-32MT/DSS-TS Hardware solutions / Routers & switches, VoIP, GSM, etc MELSEC iQ-F FX5UC-32MR/DS-TS Hardware solutions / Routers & switches, VoIP, GSM, etc MELSEC iQ-F FX5UJ Hardware solutions / Routers & switches, VoIP, GSM, etc MELSEC iQ-F FX5S Hardware solutions / Routers & switches, VoIP, GSM, etc |
| Vendor | Mitsubishi Electric |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Insufficient verification of data authenticity
EUVDB-ID: #VU82713
Risk: High
CVSSv4.0: 6.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2023-4699
CWE-ID:
CWE-345 - Insufficient Verification of Data Authenticity
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient verification of data authenticity. A remote attacker can reset the memory of the products to factory default state and perform a denial of service (DoS) attack.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsMELSEC-F FX3U: All versions
MELSEC-F FX3U-32MR/UA1: All versions
MELSEC-F FX3U-64MS/ES: All versions
MELSEC-F FX3UC: All versions
MELSEC-F FX3UC-16MR/D-T: All versions
MELSEC-F FX3UC-16MR/DS-T: All versions
MELSEC-F FX3UC-32MT-LT: All versions
MELSEC-F FX3UC-32MT-LT-2: All versions
MELSEC-F FX3UC-16MT/D-P4: All versions
MELSEC-F FX3UC-16MT/DSS-P4: All versions
MELSEC-F FX3G: All versions
MELSEC-F FX3GC-32MT/D: All versions
MELSEC-F FX3GC-32MT/DSS: All versions
MELSEC-F FX3GE: All versions
MELSEC-F FX3GA: All versions
MELSEC-F FX3S: All versions
MELSEC-F FX3S-30My/z-2AD: All versions
MELSEC-F FX3SA-xMy-CM: All versions
MELSEC iQ-F FX5U: All versions
MELSEC iQ-F FX5UC: All versions
MELSEC iQ-F FX5UC-32MT/DS-TS: All versions
MELSEC iQ-F FX5UC-32MT/DSS-TS: All versions
MELSEC iQ-F FX5UC-32MR/DS-TS: All versions
MELSEC iQ-F FX5UJ: All versions
MELSEC iQ-F FX5S: All versions
MELSEC-F FX3U-64MR/UA1: All versions
MELSEC-F FX3U-32MS/ES: All versions
CPE2.3- cpe:2.3:h:mitsubishi_electric:melsec-f_fx3u:*:*:*:*:*:*:*:*
- cpe:2.3:h:mitsubishi_electric:melsec-f_fx3u-32mr_ua1:*:*:*:*:*:*:*:*
- cpe:2.3:h:mitsubishi_electric:melsec-f_fx3u-64ms_es:*:*:*:*:*:*:*:*
- cpe:2.3:h:mitsubishi_electric:melsec-f_fx3uc:*:*:*:*:*:*:*:*
- cpe:2.3:h:mitsubishi_electric:melsec-f_fx3uc-16mr_d-t:*:*:*:*:*:*:*:*
- cpe:2.3:h:mitsubishi_electric:melsec-f_fx3uc-16mr_ds-t:*:*:*:*:*:*:*:*
- cpe:2.3:h:mitsubishi_electric:melsec-f_fx3uc-32mt-lt:*:*:*:*:*:*:*:*
- cpe:2.3:h:mitsubishi_electric:melsec-f_fx3uc-32mt-lt-2:*:*:*:*:*:*:*:*
- cpe:2.3:h:mitsubishi_electric:melsec-f_fx3uc-16mt_d-p4:*:*:*:*:*:*:*:*
- cpe:2.3:h:mitsubishi_electric:melsec-f_fx3uc-16mt_dss-p4:*:*:*:*:*:*:*:*
- cpe:2.3:h:mitsubishi_electric:melsec-f_fx3g:*:*:*:*:*:*:*:*
- cpe:2.3:h:mitsubishi_electric:melsec-f_fx3gc-32mt_d:*:*:*:*:*:*:*:*
- cpe:2.3:h:mitsubishi_electric:melsec-f_fx3gc-32mt_dss:*:*:*:*:*:*:*:*
- cpe:2.3:h:mitsubishi_electric:melsec-f_fx3ge:*:*:*:*:*:*:*:*
- cpe:2.3:h:mitsubishi_electric:melsec-f_fx3ga:*:*:*:*:*:*:*:*
- cpe:2.3:h:mitsubishi_electric:melsec-f_fx3s:*:*:*:*:*:*:*:*
- cpe:2.3:h:mitsubishi_electric:melsec-f_fx3s-30my_z-2ad:*:*:*:*:*:*:*:*
- cpe:2.3:h:mitsubishi_electric:melsec-f_fx3sa-xmy-cm:*:*:*:*:*:*:*:*
- cpe:2.3:h:mitsubishi_electric:melsec_iq-f_fx5u:*:*:*:*:*:*:*:*
- cpe:2.3:h:mitsubishi_electric:melsec_iq-f_fx5uc:*:*:*:*:*:*:*:*
- cpe:2.3:h:mitsubishi_electric:melsec_iq-f_fx5uc-32mt_ds-ts:*:*:*:*:*:*:*:*
- cpe:2.3:h:mitsubishi_electric:melsec_iq-f_fx5uc-32mt_dss-ts:*:*:*:*:*:*:*:*
- cpe:2.3:h:mitsubishi_electric:melsec_iq-f_fx5uc-32mr_ds-ts:*:*:*:*:*:*:*:*
- cpe:2.3:h:mitsubishi_electric:melsec_iq-f_fx5uj:*:*:*:*:*:*:*:*
- cpe:2.3:h:mitsubishi_electric:melsec_iq-f_fx5s:*:*:*:*:*:*:*:*
- cpe:2.3:h:mitsubishi_electric:melsec-f_fx3u-64mr_ua1:*:*:*:*:*:*:*:*
- cpe:2.3:h:mitsubishi_electric:melsec-f_fx3u-32ms_es:*:*:*:*:*:*:*:*
https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-03
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-013_en.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
