Detections
Analytics

Mitsubishi Electric MELSEC iQ-R, Q and L Series Uncontrolled Resource Consumption (CVE-2020-5652)

high Tenable OT Security Plugin ID 500395

Synopsis

The remote OT asset is affected by a vulnerability.

Description

Uncontrolled resource consumption vulnerability in Ethernet Port on MELSEC iQ-R, Q and L series CPU modules (R 00/01/02 CPU firmware versions '20' and earlier, R 04/08/16/32/120 (EN) CPU firmware versions '52' and earlier, R 08/16/32/120 SFCPU firmware versions '22' and earlier, R 08/16/32/120 PCPU all versions, R 08/16/32/120 PSFCPU all versions, R 16/32/64 MTCPU all versions, Q03 UDECPU, Q 04/06/10/13/20/26/50/100 UDEHCPU serial number '22081' and earlier , Q 03/04/06/13/26 UDVCPU serial number '22031' and earlier, Q 04/06/13/26 UDPVCPU serial number '22031' and earlier, Q 172/173 DCPU all versions, Q 172/173 DSCPU all versions, Q 170 MCPU all versions, Q 170 MSCPU all versions, L 02/06/26 CPU (-P) and L 26 CPU - (P) BT all versions) allows a remote unauthenticated attacker to stop the Ethernet communication functions of the products via a specially crafted packet, which may lead to a denial of service (DoS) condition . This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Mitsubishi Electric released the fixed version of the product. Refer to the list below to check if the version of your product is updatable and take the measures described after the list:

- MELSEC iQ-R R00 CPU firmware: Refer to "Appendix 2 Firmware Update Function" in the MELSEC iQ-R Module Configuration Manual
- MELSEC iQ-R R01 CPU firmware: Refer to "Appendix 2 Firmware Update Function" in the MELSEC iQ-R Module Configuration Manual
- MELSEC iQ-R R02 CPU firmware: Refer to "Appendix 2 Firmware Update Function" in the MELSEC iQ-R Module Configuration Manual
- MELSEC iQ-R R04 (EN) CPU firmware: Refer to "Appendix 2 Firmware Update Function" in the MELSEC iQ-R Module Configuration Manual
- MELSEC iQ-R R08 (EN) CPU firmware: Refer to "Appendix 2 Firmware Update Function" in the MELSEC iQ-R Module Configuration Manual
- MELSEC iQ-R R16 (EN) CPU firmware: Refer to "Appendix 2 Firmware Update Function" in the MELSEC iQ-R Module Configuration Manual
- MELSEC iQ-R R32 (EN) CPU firmware: Refer to "Appendix 2 Firmware Update Function" in the MELSEC iQ-R Module Configuration Manual
- MELSEC iQ-R R120 (EN) CPU firmware: Refer to "Appendix 2 Firmware Update Function" in the MELSEC iQ-R Module Configuration Manual
- MELSEC iQ-R R08 SFCPU firmware: Refer to "Appendix 2 Firmware Update Function" in the MELSEC iQ-R Module Configuration Manual
- MELSEC iQ-R R16 SFCPU firmware: Refer to "Appendix 2 Firmware Update Function" in the MELSEC iQ-R Module Configuration Manual
- MELSEC iQ-R R32 SFCPU firmware: Refer to "Appendix 2 Firmware Update Function" in the MELSEC iQ-R Module Configuration Manual
- MELSEC iQ-R R120 SFCPU firmware: Refer to "Appendix 2 Firmware Update Function" in the MELSEC iQ-R Module Configuration Manual
- MELSEC iQ-R R08 PCPU firmware: Refer to "Appendix 2 Firmware Update Function" in the MELSEC iQ-R Module Configuration Manual
- MELSEC iQ-R R16 PCPU firmware: Refer to "Appendix 2 Firmware Update Function" in the MELSEC iQ-R Module Configuration Manual
- MELSEC iQ-R R32 PCPU firmware: Refer to "Appendix 2 Firmware Update Function" in the MELSEC iQ-R Module Configuration Manual
- MELSEC iQ-R R120 PCPU firmware: Refer to "Appendix 2 Firmware Update Function" in the MELSEC iQ-R Module Configuration Manual
- MELSEC iQ-R R08 PSFCPU firmware: Refer to "Appendix 2 Firmware Update Function" in the MELSEC iQ-R Module Configuration Manual
- MELSEC iQ-R R16 PSFCPU firmware: Refer to "Appendix 2 Firmware Update Function" in the MELSEC iQ-R Module Configuration Manual
- MELSEC iQ-R R32 PSFCPU firmware: Refer to "Appendix 2 Firmware Update Function" in the MELSEC iQ-R Module Configuration Manual
- MELSEC iQ-R R120 PSFCPU firmware: Refer to "Appendix 2 Firmware Update Function" in the MELSEC iQ-R Module Configuration Manual
- MELSEC iQ-R R16 MTCPU operating system software: Updatable in all versions
- MELSEC iQ-R R32 MTCPU operating system software: Updatable in all versions
- MELSEC iQ-R R64 MTCPU operating system software: Updatable in all versions
- MELSEC Q Q03 UDECPU: Not updatable in any version
- MELSEC Q Q04 UDEHCPU: Not updatable in any version
- MELSEC Q Q06 UDEHCPU: Not updatable in any version
- MELSEC Q Q10 UDEHCPU: Not updatable in any version
- MELSEC Q Q13 UDEHCPU: Not updatable in any version
- MELSEC Q Q20 UDEHCPU: Not updatable in any version
- MELSEC Q Q26 UDEHCPU: Not updatable in any version
- MELSEC Q Q50 UDEHCPU: Not updatable in any version
- MELSEC Q Q100 UDEHCPU: Not updatable in any version
- MELSEC Q Q03 UDVCPU: Not updatable in any version
- MELSEC Q Q04 UDVCPU: Not updatable in any version
- MELSEC Q Q06 UDVCPU: Not updatable in any version
- MELSEC Q Q13 UDVCPU: Not updatable in any version
- MELSEC Q Q26 UDVCPU: Not updatable in any version
- MELSEC Q Q04 UDPVCPU: Not updatable in any version
- MELSEC Q Q06 UDPVCPU: Not updatable in any version
- MELSEC Q Q13 UDPVCPU: Not updatable in any version
- MELSEC Q Q26 UDPVCPU: Not updatable in any version
- MELSEC Q Q172 DCPU-S1 operating system software: Updatable in all versions
- MELSEC Q Q173 DCPU-S1 operating system software: Updatable in all versions
- MELSEC Q Q172 DSCPU operating system software: Updatable in all versions
- MELSEC Q Q173 DSCPU operating system software: Updatable in all versions
- MELSEC Q Q170 MCPU operating system software: Updatable in all versions
- MELSEC Q Q170 MSCPU(-S1) operating system software: Updatable in all versions
- MELSEC Q MR-MQ100 operating system software: Updatable in all versions
- MELSEC L L02 CPU (-P): Not updatable in any version
- MELSEC L L06 CPU (-P): Not updatable in any version
- MELSEC L L26 CPU (-P): Not updatable in any version
- MELSEC L L26 CPU - (P) BT: Not updatable in any version

In case your product is updatable, download a fixed update file from the following site and update the firmware or operating system software: https://www.mitsubishielectric.com/fa/download/index.html

For the fixed versions, see Mitsubishi Electric advisory

Refer to below for detail on updating:

- "Appendix 2 Firmware Update Function" in the MELSEC iQ-R Module Configuration Manual
- "8.4 Installing the Operating System Software" in the MELSEC iQ-R Motion Controller Programing Manual (Common)
- "5.3 Operating System Software Installation Procedure" in the Q173D(S)/Q172(S)CPU Motion Controller User's Manual
- "5.3 Operating System Software Installation Procedure" in the Q170MCPU Motion Controller User's Manual
- "5.3 Operating System Software Installation Procedure" in the Q170MSCPU Motion Controller User's Manual
- "5.3 Operating System Software Installation Procedure" in the MR-MQ100 Motion Controller User's Manual (Details)

In case your product is not updatable, Mitsubishi Electric recommends users take the following mitigation measures to minimize the risk of exploiting this vulnerability:

- Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
- Use within a LAN and block access from untrusted networks and hosts through firewalls.

Please refer to Mitsubishi Electric's website for details on available patches.Mitsubishi Electric recommends users update their products by downloading and applying the latest versions. Please contact a Mitsubishi Electric representative for additional details.

For specific additional details, see [Mitsubishi Electric advisory 2020-013].(https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-013_en.pdf).

See Also

http://www.nessus.org/u?3f5c6d18

https://jvn.jp/vu/JVNVU96558207/index.html

https://www.cisa.gov/news-events/ics-advisories/icsa-20-303-01

http://www.nessus.org/u?066cb413

Plugin Details

Severity: High

ID: 500395

File Name: tenable_ot_mitsubishi_CVE-2020-5652.nasl

Version: 1.9

Type: remote

Family: Tenable.ot

Published: 2/7/2022

Updated: 2/14/2026

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2020-5652

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:mitsubishielectric:melsec_iq-r16sfcpu_firmware:22, cpe:/o:mitsubishielectric:melsec_iq-r08sfcpu_firmware:22, cpe:/o:mitsubishielectric:melsec_q-q50udehcpu_firmware:22081, cpe:/o:mitsubishielectric:melsec_iq-r16pcpu_firmware:-, cpe:/o:mitsubishielectric:melsec_iq-r32encpu_firmware:52, cpe:/o:mitsubishielectric:melsec_iq-r02cpu_firmware:20, cpe:/o:mitsubishielectric:melsec_q-q03udecpu_firmware:22081, cpe:/o:mitsubishielectric:melsec_iq-r32psfcpu_firmware:-, cpe:/o:mitsubishielectric:melsec_iq-r08psfcpu_firmware:-, cpe:/o:mitsubishielectric:melsec_iq-r00cpu_firmware:20, cpe:/o:mitsubishielectric:melsec_q-q04udvcpu_firmware:22031, cpe:/o:mitsubishielectric:melsec_l02cpu-p_firmware:-, cpe:/o:mitsubishielectric:melsec_l26cpu-pbt_firmware:-, cpe:/o:mitsubishielectric:melsec_iq-r120pcpu_firmware:-, cpe:/o:mitsubishielectric:melsec_iq-r08pcpu_firmware:-, cpe:/o:mitsubishielectric:melsec_q-q10udehcpu_firmware:22081, cpe:/o:mitsubishielectric:melsec_q-q06udehcpu_firmware:22081, cpe:/o:mitsubishielectric:melsec_q-q172dscpu_firmware:-, cpe:/o:mitsubishielectric:melsec_q-q172dcpu-s1_firmware:-, cpe:/o:mitsubishielectric:melsec_iq-r32pcpu_firmware:-, cpe:/o:mitsubishielectric:melsec_iq-r16encpu_firmware:52, cpe:/o:mitsubishielectric:melsec_q-q04udehcpu_firmware:22081, cpe:/o:mitsubishielectric:melsec_q-q170mcpu_firmware:-, cpe:/o:mitsubishielectric:melsec_l26cpu-p_firmware:-, cpe:/o:mitsubishielectric:melsec_iq-r32sfcpu_firmware:22, cpe:/o:mitsubishielectric:melsec_q-q03udvcpu_firmware:22031, cpe:/o:mitsubishielectric:melsec_q-q04udpvcpu_firmware:22031, cpe:/o:mitsubishielectric:melsec_iq-r120encpu_firmware:52, cpe:/o:mitsubishielectric:melsec_l06cpu-p_firmware:-, cpe:/o:mitsubishielectric:melsec_q-q26udehcpu_firmware:22081, cpe:/o:mitsubishielectric:melsec_iq-r04encpu_firmware:52, cpe:/o:mitsubishielectric:melsec_q-q173dcpu-s1_firmware:-, cpe:/o:mitsubishielectric:melsec_q-q100udehcpu_firmware:22081, cpe:/o:mitsubishielectric:melsec_q-q26udpvcpu_firmware:22031, cpe:/o:mitsubishielectric:melsec_iq-r64mtcpu_firmware:-, cpe:/o:mitsubishielectric:melsec_q-q26udvcpu_firmware:22031, cpe:/o:mitsubishielectric:melsec_iq-r01cpu_firmware:20, cpe:/o:mitsubishielectric:melsec_q-q13udpvcpu_firmware:22031, cpe:/o:mitsubishielectric:melsec_q-q13udehcpu_firmware:22081, cpe:/o:mitsubishielectric:melsec_iq-r08encpu_firmware:52, cpe:/o:mitsubishielectric:melsec_iq-r32mtcpu_firmware:-, cpe:/o:mitsubishielectric:melsec_iq-r16psfcpu_firmware:-, cpe:/o:mitsubishielectric:melsec_q-q173dscpu_firmware:-, cpe:/o:mitsubishielectric:melsec_q-q20udehcpu_firmware:22081, cpe:/o:mitsubishielectric:melsec_iq-r120psfcpu_firmware:-, cpe:/o:mitsubishielectric:melsec_q-q13udvcpu_firmware:22031, cpe:/o:mitsubishielectric:melsec_iq-r120sfcpu_firmware:22, cpe:/o:mitsubishielectric:melsec_iq-r16mtcpu_firmware:-, cpe:/o:mitsubishielectric:melsec_q-q170mscpu-s1_firmware:-, cpe:/o:mitsubishielectric:melsec_q-qmr-mq100_firmware:-, cpe:/o:mitsubishielectric:melsec_q-q06udpvcpu_firmware:22031

Required KB Items: Tenable.ot/Mitsubishi

Exploit Ease: No known exploits are available

Patch Publication Date: 11/2/2020

Vulnerability Publication Date: 11/2/2020

Reference Information

CVE: CVE-2020-5652

CWE: 400

ICSA: 20-303-01