Vulnerability identifier: #VU28933

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-13238

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
MELSEC iQ-R series
Hardware solutions / Routers & switches, VoIP, GSM, etc

Vendor: Mitsubishi Electric

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can send specially crafted packets, trigger resource exhaustion and perform a denial of service (DoS) attack.

This vulnerability affects the following MELSEC iQ-R series modules: 

• R04/08/16/32/120CPU, R04/08/16/32/120ENCPU: Firmware Versions 39 or earlier
• R00/01/02CPU: Firmware Versions 7 or earlier
• R08/16/32/120SFCPU: Firmware Versions 20 or earlier
• R08/16/32/120PCPU: All versions
• R08/16/32/120PSFCPU: All versions
• RJ71EN71: All versions

Mitigation
Install updates from vendor's website.

Vulnerable software versions

MELSEC iQ-R series: All versions

---

External links
http://ics-cert.us-cert.gov/advisories/icsa-20-161-02

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.