Vulnerability identifier: #VU64579
Vulnerability risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-346
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
MELSEC-Q Q03UDECPU
Hardware solutions /
Routers & switches, VoIP, GSM, etc
MELSEC iQ-Q 04 UDEHCPU
Hardware solutions /
Firmware
MELSEC iQ-Q 06 UDEHCPU
Hardware solutions /
Firmware
MELSEC iQ-Q 10 UDEHCPU
Hardware solutions /
Firmware
MELSEC iQ-Q 13 UDEHCPU
Hardware solutions /
Firmware
MELSEC iQ-Q 20 UDEHCPU
Hardware solutions /
Firmware
MELSEC iQ-Q 26 UDEHCPU
Hardware solutions /
Firmware
MELSEC iQ-Q 50 UDEHCPU
Hardware solutions /
Firmware
MELSEC iQ-Q 100 UDEHCPU
Hardware solutions /
Firmware
MELSEC iQ-Q 03 UDVCPU
Hardware solutions /
Firmware
MELSEC iQ-Q 04 UDVCPU
Hardware solutions /
Firmware
MELSEC iQ-Q 06 UDVCPU
Hardware solutions /
Firmware
MELSEC iQ-Q 13 UDVCPU
Hardware solutions /
Firmware
MELSEC iQ-Q 26 UDVCPU
Hardware solutions /
Firmware
MELSEC iQ-Q 04 UDPVCPU
Hardware solutions /
Firmware
MELSEC iQ-Q 06 UDPVCPU
Hardware solutions /
Firmware
MELSEC iQ-Q 13 UDPVCPU
Hardware solutions /
Firmware
MELSEC iQ-Q 26 UDPVCPU
Hardware solutions /
Firmware
MELSEC L Series L26CPU-(P)BT
Hardware solutions /
Firmware
MELSEC L Series L26CPU(-P)
Hardware solutions /
Firmware
MELSEC L Series L02CPU(-P)
Hardware solutions /
Firmware
MELSEC L Series L06CPU(-P)
Hardware solutions /
Firmware
Vendor: Mitsubishi Electric
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper resource locking. A remote attacker can send a specially crafted packet and cause a denial of service condition on the target system.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
MELSEC-Q Q03UDECPU: All versions
MELSEC iQ-Q 04 UDEHCPU: All versions
MELSEC iQ-Q 06 UDEHCPU: All versions
MELSEC iQ-Q 10 UDEHCPU: All versions
MELSEC iQ-Q 13 UDEHCPU: All versions
MELSEC iQ-Q 20 UDEHCPU: All versions
MELSEC iQ-Q 26 UDEHCPU: All versions
MELSEC iQ-Q 50 UDEHCPU: All versions
MELSEC iQ-Q 100 UDEHCPU: All versions
MELSEC iQ-Q 03 UDVCPU: 24051
MELSEC iQ-Q 04 UDVCPU: 24051
MELSEC iQ-Q 06 UDVCPU: 24051
MELSEC iQ-Q 13 UDVCPU: 24051
MELSEC iQ-Q 26 UDVCPU: 24051
MELSEC iQ-Q 04 UDPVCPU: 24051
MELSEC iQ-Q 06 UDPVCPU: 24051
MELSEC iQ-Q 13 UDPVCPU: 24051
MELSEC iQ-Q 26 UDPVCPU: 24051
MELSEC L Series L26CPU-(P)BT: 24051
MELSEC L Series L26CPU(-P): 24051
MELSEC L Series L02CPU(-P): 24051
MELSEC L Series L06CPU(-P): 24051
External links
http://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-007_en.pdf
http://jvn.jp/vu/JVNVU90895626/index.html
http://www.cisa.gov/uscert/ics/advisories/icsa-22-172-01
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.