Resource exhaustion in Mitsubishi Electric Hardware solutions

#VU22634 Resource exhaustion in Mitsubishi Electric Hardware solutions

Published: 2019-11-11

Vulnerability identifier: #VU22634

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13555

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vendor: Mitsubishi Electric

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper resource management. A remote attacker can trigger resource exhaustion and cause the FTP service to enter a denial-of-service condition dependent on the timing at which a remote attacker connects to the FTP server on the affected CPU modules.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Q03UDVCPU: 21081

Q04UDVCPU: 21081

Q06UDVCPU: 21081

Q13UDVCPU: 21081

Q26UDVCPU: 21081

Q04UDPVCPU: 21081

Q06UDPVCPU: 21081

Q13UDPVCPU: 21081

Q26UDPVCPU: 21081

MELSEC-Q Q03UDECPU: 21081

Q04UDEHCPU: 21081

Q06UDEHCPU: 21081

Q10UDEHCPU: 21081

Q13UDEHCPU: 21081

Q20UDEHCPU: 21081

Q26UDEHCPU: 21081

Q50UDEHCPU: 21081

Q100UDEHCPU: 21081

MELSEC-L L02CPU: 21101

MELSEC-L L06CPU: 21101

MELSEC-L L26CPU: 21101

MELSEC-L L26CPU-BT: 21101

MELSEC-L L02CPU-P: 21101

MELSEC-L L06CPU-P: 21101

MELSEC-L L26CPU-P: 21101

MELSEC-L L26CPU-PBT: 21101

MELSEC-L L02CPU-CM: 21101

MELSEC-L L06CPU-CM: 21101

MELSEC-L L26CPU-CM: 21101

MELSEC-L L26CPU-BT-CM: 21101

External links
http://ics-cert.us-cert.gov/advisories/icsa-19-311-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Denial of service in Mitsubishi Electric MELSEC-Q Series and MELSEC-L CPU Modules